Ticket #2359: unicode-autoescape-2.diff
| File unicode-autoescape-2.diff, 11.2 kB (added by mir@noris.de, 1 year ago) |
|---|
-
a/django/contrib/csrf/middleware.py
old new 7 7 """ 8 8 from django.conf import settings 9 9 from django.http import HttpResponseForbidden 10 from django.utils.safestring import mark_safe 10 11 import md5 11 12 import re 12 13 import itertools 13 14 14 _ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>'15 _ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') 15 16 16 17 _POST_FORM_RE = \ 17 18 re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE) … … 82 83 itertools.repeat('')) 83 84 def add_csrf_field(match): 84 85 """Returns the matched <form> tag plus the added <input> element""" 85 return ma tch.group() + "<div style='display:none;'>" + \86 return mark_safe(match.group() + "<div style='display:none;'>" + \ 86 87 "<input type='hidden' " + idattributes.next() + \ 87 88 " name='csrfmiddlewaretoken' value='" + csrf_token + \ 88 "' /></div>" 89 "' /></div>") 89 90 90 91 # Modify any POST forms 91 92 response.content = _POST_FORM_RE.sub(add_csrf_field, response.content) -
a/django/contrib/humanize/templatetags/humanize.py
old new 1 from django.utils.translation import ungettext, ugettext as _1 from django.utils.translation import ungettext, ugettext_lazy as _ 2 2 from django.utils.encoding import force_unicode 3 3 from django import template 4 4 import re … … 18 18 if value % 100 in (11, 12, 13): # special case 19 19 return u"%d%s" % (value, t[0]) 20 20 return u'%d%s' % (value, t[value % 10]) 21 ordinal.is_safe = True 21 22 register.filter(ordinal) 22 23 23 24 def intcomma(value): … … 31 32 return new 32 33 else: 33 34 return intcomma(new) 35 intcomma.is_safe = True 34 36 register.filter(intcomma) 35 37 36 38 def intword(value): … … 52 54 new_value = value / 1000000000000.0 53 55 return ungettext('%(value).1f trillion', '%(value).1f trillion', new_value) % {'value': new_value} 54 56 return value 57 intword.is_safe = False 55 58 register.filter(intword) 56 59 57 60 def apnumber(value): … … 66 69 if not 0 < value < 10: 67 70 return value 68 71 return (_('one'), _('two'), _('three'), _('four'), _('five'), _('six'), _('seven'), _('eight'), _('nine'))[value-1] 72 apnumber.is_safe = True 69 73 register.filter(apnumber) -
a/django/contrib/markup/templatetags/markup.py
old new 17 17 from django import template 18 18 from django.conf import settings 19 19 from django.utils.encoding import smart_str, force_unicode 20 from django.utils.safestring import mark_safe 20 21 21 22 register = template.Library() 22 23 … … 28 29 raise template.TemplateSyntaxError, "Error in {% textile %} filter: The Python textile library isn't installed." 29 30 return force_unicode(value) 30 31 else: 31 return force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8')) 32 return mark_safe(force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8'))) 33 textile.is_safe = True 32 34 33 35 def markdown(value): 34 36 try: … … 38 40 raise template.TemplateSyntaxError, "Error in {% markdown %} filter: The Python markdown library isn't installed." 39 41 return force_unicode(value) 40 42 else: 41 return force_unicode(markdown.markdown(smart_str(value))) 43 return mark_safe(force_unicode(markdown.markdown(smart_str(value)))) 44 markdown.is_safe = True 42 45 43 46 def restructuredtext(value): 44 47 try: … … 50 53 else: 51 54 docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {}) 52 55 parts = publish_parts(source=smart_str(value), writer_name="html4css1", settings_overrides=docutils_settings) 53 return force_unicode(parts["fragment"]) 56 return mark_safe(force_unicode(parts["fragment"])) 57 restructuredtext.is_safe = True 54 58 55 59 register.filter(textile) 56 60 register.filter(markdown) -
a/django/views/debug.py
old new 321 321 </script> 322 322 </head> 323 323 <body> 324 324 {% autoescape %} 325 325 <div id="summary"> 326 326 <h1>{{ exception_type }} at {{ request.path|escape }}</h1> 327 327 <h2>{{ exception_value|escape }}</h2> … … 369 369 <div id="template"> 370 370 <h2>Template error</h2> 371 371 <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p> 372 <h3>{{ template_info.message |escape}}</h3>372 <h3>{{ template_info.message }}</h3> 373 373 <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}"> 374 374 {% for source_line in template_info.source_lines %} 375 375 {% ifequal source_line.0 template_info.line %} … … 396 396 {% if frame.context_line %} 397 397 <div class="context" id="c{{ frame.id }}"> 398 398 {% if frame.pre_context %} 399 <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line |escape}}</li>{% endfor %}</ol>399 <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol> 400 400 {% endif %} 401 <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line |escape}} <span>...</span></li></ol>401 <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol> 402 402 {% if frame.post_context %} 403 <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line |escape}}</li>{% endfor %}</ol>403 <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol> 404 404 {% endif %} 405 405 </div> 406 406 {% endif %} … … 420 420 {% for var in frame.vars|dictsort:"0" %} 421 421 <tr> 422 422 <td>{{ var.0 }}</td> 423 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>423 <td class="code"><div>{{ var.1|pprint }}</div></td> 424 424 </tr> 425 425 {% endfor %} 426 426 </tbody> … … 440 440 {% for frame in frames %} 441 441 File "{{ frame.filename }}" in {{ frame.function }}<br/> 442 442 {% if frame.context_line %} 443 {{ frame.lineno }}. {{ frame.context_line |escape}}<br/>443 {{ frame.lineno }}. {{ frame.context_line }}<br/> 444 444 {% endif %} 445 445 {% endfor %}<br/> 446 446 {{ exception_type }} at {{ request.path|escape }}<br/> … … 468 468 {% for var in request.GET.items %} 469 469 <tr> 470 470 <td>{{ var.0 }}</td> 471 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>471 <td class="code"><div>{{ var.1|pprint }}</div></td> 472 472 </tr> 473 473 {% endfor %} 474 474 </tbody> … … 490 490 {% for var in request.POST.items %} 491 491 <tr> 492 492 <td>{{ var.0 }}</td> 493 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>493 <td class="code"><div>{{ var.1|pprint }}</div></td> 494 494 </tr> 495 495 {% endfor %} 496 496 </tbody> … … 512 512 {% for var in request.COOKIES.items %} 513 513 <tr> 514 514 <td>{{ var.0 }}</td> 515 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>515 <td class="code"><div>{{ var.1|pprint }}</div></td> 516 516 </tr> 517 517 {% endfor %} 518 518 </tbody> … … 533 533 {% for var in request.META.items|dictsort:"0" %} 534 534 <tr> 535 535 <td>{{ var.0 }}</td> 536 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>536 <td class="code"><div>{{ var.1|pprint }}</div></td> 537 537 </tr> 538 538 {% endfor %} 539 539 </tbody> … … 552 552 {% for var in settings.items|dictsort:"0" %} 553 553 <tr> 554 554 <td>{{ var.0 }}</td> 555 <td class="code"><div>{{ var.1|pprint |escape}}</div></td>555 <td class="code"><div>{{ var.1|pprint }}</div></td> 556 556 </tr> 557 557 {% endfor %} 558 558 </tbody> … … 567 567 display a standard 500 page. 568 568 </p> 569 569 </div> 570 570 {% endautoescape %} 571 571 </body> 572 572 </html> 573 573 """ … … 598 598 </style> 599 599 </head> 600 600 <body> 601 {% autoescape %} 601 602 <div id="summary"> 602 603 <h1>Page not found <span>(404)</span></h1> 603 604 <table class="meta"> … … 619 620 </p> 620 621 <ol> 621 622 {% for pattern in urlpatterns %} 622 <li>{{ pattern |escape}}</li>623 <li>{{ pattern }}</li> 623 624 {% endfor %} 624 625 </ol> 625 626 <p>The current URL, <code>{{ request_path|escape }}</code>, didn't match any of these.</p> 626 627 {% else %} 627 <p>{{ reason |escape}}</p>628 <p>{{ reason }}</p> 628 629 {% endif %} 629 630 </div> 630 631 … … 635 636 will display a standard 404 page. 636 637 </p> 637 638 </div> 639 {% endautoescape %} 638 640 </body> 639 641 </html> 640 642 """ … … 669 671 </head> 670 672 671 673 <body> 674 {% autoescape %} 672 675 <div id="summary"> 673 676 <h1>It worked!</h1> 674 677 <h2>Congratulations on your first Django-powered page.</h2> … … 688 691 Django settings file and you haven't configured any URLs. Get to work! 689 692 </p> 690 693 </div> 694 {% endautoescape %} 691 695 </body></html> 692 696 """
