Ticket #6160: validation-escaping.2.diff

django/newforms/forms.py

@@ -5 +5 @@
 from copy import deepcopy
 
 from django.utils.datastructures import SortedDict
-from django.utils.html import escape
+from django.utils.html import escape, conditional_escape
 from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode
 from django.utils.safestring import mark_safe
 
@@ -127 +127 @@
         output, hidden_fields = [], []
         for name, field in self.fields.items():
             bf = BoundField(self, field, name)
-            bf_errors = self.error_class([escape(error) for error in bf.errors]) # Escape and cache in local variable.
+            bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) # Escape and cache in local variable.
             if bf.is_hidden:
                 if bf_errors:
                     top_errors.extend([u'(Hidden field %s) %s' % (name, force_unicode(e)) for e in bf_errors])

django/newforms/util.py

@@ -1 @@
-from django.utils.html import escape
+from django.utils.html import conditional_escape
 from django.utils.encoding import smart_unicode, StrAndUnicode, force_unicode
-from django.utils.functional import Promise
 from django.utils.safestring import mark_safe
 
 def flatatt(attrs):
@@ -10 +9 @@
     XML-style pairs.  It is assumed that the keys do not need to be XML-escaped.
     If the passed dictionary is empty, then return an empty string.
     """
-    return u''.join([u' %s="%s"' % (k, escape(v)) for k, v in attrs.items()])
+    return mark_safe(u''.join([u' %s="%s"' % (k, conditional_escape(v)) for k, v in attrs.items()]))
 
 class ErrorDict(dict, StrAndUnicode):
     """
@@ -56 +55 @@
         a string) or a list of objects.
         """
         if isinstance(message, list):
-            self.messages = ErrorList([smart_unicode(msg) for msg in message])
+            self.messages = ErrorList([conditional_escape(smart_unicode(msg)) for msg in message])
         else:
-            message = smart_unicode(message)
+            message = conditional_escape(smart_unicode(message))
             self.messages = ErrorList([message])
 
     def __str__(self):

tests/regressiontests/forms/localflavor/ch.py

@@ -41 +41 @@
 >>> f.clean('C1234567<1')
 Traceback (most recent call last):
 ...
-ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.']
+ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567&lt;0 or 1234567890 format.']
 >>> f.clean('2123456700')
 u'2123456700'
 >>> f.clean('2123456701')
 Traceback (most recent call last):
 ...
-ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.']
+ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567&lt;0 or 1234567890 format.']
 
 # CHStateSelect #############################################################
 

tests/regressiontests/forms/util.py

@@ -7 +7 @@
 >>> from django.newforms.util import *
 >>> from django.utils.translation import ugettext_lazy
 
+# Escaping.
+>>> from django.utils.html import escape
+>>> from django.utils.html import conditional_escape
+>>> script = "$('#example').html('<a href=\"http://www.example.com/\">example</a>');"
+
 ###########
 # flatatt #
 ###########
@@ -19 +24 @@
 >>> flatatt({})
 u''
 
+# Escaping.
+
+>>> flatatt({'onclick': script})
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+>>> flatatt({'onclick': escape(script)})
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+>>> flatatt({'onclick': conditional_escape(script)})
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+
+>>> conditional_escape(flatatt({'onclick': script}))
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+>>> conditional_escape(flatatt({'onclick': escape(script)}))
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+>>> conditional_escape(flatatt({'onclick': conditional_escape(script)}))
+u' onclick="$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);"'
+
 ###################
 # ValidationError #
 ###################
@@ -49 +70 @@
 # Can take a non-string.
 >>> print ValidationError(VeryBadError()).messages
 <ul class="errorlist"><li>A very bad error.</li></ul>
+
+# Escaping.
+
+>>> print ValidationError(script).messages
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print ValidationError(escape(script)).messages
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print ValidationError(conditional_escape(script)).messages
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print ErrorDict({'example': ValidationError(script).messages})
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+>>> print ErrorDict({'example': ValidationError(escape(script)).messages})
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+>>> print ErrorDict({'example': ValidationError(conditional_escape(script)).messages})
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+
+>>> print conditional_escape(unicode(ValidationError(script).messages))
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print conditional_escape(unicode(ValidationError(escape(script)).messages))
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print conditional_escape(unicode(ValidationError(conditional_escape(script)).messages))
+<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul>
+>>> print conditional_escape(unicode(ErrorDict({'example': ValidationError(script).messages})))
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+>>> print conditional_escape(unicode(ErrorDict({'example': ValidationError(escape(script)).messages})))
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+>>> print conditional_escape(unicode(ErrorDict({'example': ValidationError(conditional_escape(script)).messages})))
+<ul class="errorlist"><li>example<ul class="errorlist"><li>$(&#39;#example&#39;).html(&#39;&lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;&#39;);</li></ul></li></ul>
+
 """