Django

Code

Changeset 6671

Show
Ignore:
Timestamp:
11/14/07 06:58:53 (6 months ago)
Author:
mtredinnick
Message:

Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359

See documentation in templates.txt and templates_python.txt for how everything
works.

Backwards incompatible if you're inserting raw HTML output via template variables.

Based on an original design from Simon Willison and with debugging help from Michael Radziej.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved
  • django/trunk/django/contrib/admin/filterspecs.py

    r5609 r6671  
    1010from django.utils.encoding import smart_unicode, iri_to_uri 
    1111from django.utils.translation import ugettext as _ 
     12from django.utils.html import escape 
     13from django.utils.safestring import mark_safe 
    1214import datetime 
    1315 
     
    4042        t = [] 
    4143        if self.has_output(): 
    42             t.append(_(u'<h3>By %s:</h3>\n<ul>\n') % self.title()) 
     44            t.append(_(u'<h3>By %s:</h3>\n<ul>\n') % escape(self.title())) 
    4345 
    4446            for choice in self.choices(cl): 
     
    4850                     choice['display'])) 
    4951            t.append('</ul>\n\n') 
    50         return "".join(t
     52        return mark_safe("".join(t)
    5153 
    5254class RelatedFilterSpec(FilterSpec): 
  • django/trunk/django/contrib/admin/models.py

    r5803 r6671  
    44from django.utils.translation import ugettext_lazy as _ 
    55from django.utils.encoding import smart_unicode 
     6from django.utils.safestring import mark_safe 
    67 
    78ADDITION = 1 
     
    5051        This is relative to the Django admin index page. 
    5152        """ 
    52         return u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id
     53        return mark_safe(u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id)
  • django/trunk/django/contrib/admin/templates/admin/base_site.html

    r3349 r6671  
    22{% load i18n %} 
    33 
    4 {% block title %}{{ title|escape }} | {% trans 'Django site admin' %}{% endblock %} 
     4{% block title %}{{ title }} | {% trans 'Django site admin' %}{% endblock %} 
    55 
    66{% block branding %} 
  • django/trunk/django/contrib/admin/templates/admin/change_form.html

    r6391 r6671  
    1111<div class="breadcrumbs"> 
    1212     <a href="../../../">{% trans "Home" %}</a> &rsaquo; 
    13      <a href="../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo; 
    14      {% if add %}{% trans "Add" %} {{ opts.verbose_name|escape }}{% else %}{{ original|truncatewords:"18"|escape }}{% endif %} 
     13     <a href="../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo; 
     14     {% if add %}{% trans "Add" %} {{ opts.verbose_name }}{% else %}{{ original|truncatewords:"18" }}{% endif %} 
    1515</div> 
    1616{% endif %}{% endblock %} 
  • django/trunk/django/contrib/admin/templates/admin/date_hierarchy.html

    r3349 r6671  
    22<div class="xfull"> 
    33<ul class="toplinks"> 
    4 {% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title|escape }}</a></li>{% endif %} 
     4{% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title }}</a></li>{% endif %} 
    55{% for choice in choices %} 
    6 <li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title|escape }}{% if choice.link %}</a>{% endif %}</li> 
     6<li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title }}{% if choice.link %}</a>{% endif %}</li> 
    77{% endfor %} 
    88</ul><br class="clear" /> 
  • django/trunk/django/contrib/admin/templates/admin/delete_confirmation.html

    r6391 r6671  
    44<div class="breadcrumbs"> 
    55     <a href="../../../../">{% trans "Home" %}</a> &rsaquo; 
    6      <a href="../../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo; 
     6     <a href="../../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo; 
    77     <a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo; 
    88     {% trans 'Delete' %} 
     
    1414    <ul> 
    1515    {% for obj in perms_lacking %} 
    16         <li>{{ obj|escape }}</li> 
     16        <li>{{ obj }}</li> 
    1717    {% endfor %} 
    1818    </ul> 
  • django/trunk/django/contrib/admin/templates/admin_doc/model_detail.html

    r6391 r6671  
    99{% endblock %} 
    1010 
    11 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; <a href="../">Models</a> &rsaquo; {{ name|escape }}</div>{% endblock %} 
     11{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../../">Home</a> &rsaquo; <a href="../../">Documentation</a> &rsaquo; <a href="../">Models</a> &rsaquo; {{ name }}</div>{% endblock %} 
    1212 
    13 {% block title %}Model: {{ name|escape }}{% endblock %} 
     13{% block title %}Model: {{ name }}{% endblock %} 
    1414 
    1515{% block content %} 
    1616<div id="content-main"> 
    17 <h1>{{ summary|escape }}</h1> 
     17<h1>{{ summary }}</h1> 
    1818 
    1919{% if description %} 
    20   <p>{% filter escape|linebreaksbr %}{% trans description %}{% endfilter %}</p> 
     20  <p>{% filter linebreaksbr %}{% trans description %}{% endfilter %}</p> 
    2121{% endif %} 
    2222 
  • django/trunk/django/contrib/admin/templates/admin/edit_inline_stacked.html

    r3349 r6671  
    22<fieldset class="module aligned"> 
    33   {% for fcw in bound_related_object.form_field_collection_wrappers %} 
    4       <h2>{{ bound_related_object.relation.opts.verbose_name|capfirst|escape }}&nbsp;#{{ forloop.counter }}</h2> 
     4      <h2>{{ bound_related_object.relation.opts.verbose_name|capfirst }}&nbsp;#{{ forloop.counter }}</h2> 
    55      {% if bound_related_object.show_url %}{% if fcw.obj.original %} 
    66      <p><a href="/r/{{ fcw.obj.original.content_type_id }}/{{ fcw.obj.original.id }}/">View on site</a></p> 
  • django/trunk/django/contrib/admin/templates/admin/edit_inline_tabular.html

    r3571 r6671  
    11{% load admin_modify %} 
    22<fieldset class="module"> 
    3    <h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst|escape }}</h2><table> 
     3   <h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst }}</h2><table> 
    44   <thead><tr> 
    55   {% for fw in bound_related_object.field_wrapper_list %} 
    66      {% if fw.needs_header %} 
    7          <th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst|escape }}</th> 
     7         <th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst }}</th> 
    88      {% endif %} 
    99   {% endfor %} 
  • django/trunk/django/contrib/admin/templates/admin/index.html

    r5935 r6671  
    2020            <tr> 
    2121            {% if model.perms.change %} 
    22                 <th scope="row"><a href="{{ model.admin_url }}">{{ model.name|escape }}</a></th> 
     22                <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th> 
    2323            {% else %} 
    24                 <th scope="row">{{ model.name|escape }}</th> 
     24                <th scope="row">{{ model.name }}</th> 
    2525            {% endif %} 
    2626 
     
    5959            <ul class="actionlist"> 
    6060            {% for entry in admin_log %} 
    61             <li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr|escape }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{% filter capfirst|escape %}{% trans entry.content_type.name %}{% endfilter %}</span></li> 
     61            <li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr|escape }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{% filter capfirst %}{% trans entry.content_type.name %}{% endfilter %}</span></li> 
    6262            {% endfor %} 
    6363            </ul> 
  • django/trunk/django/contrib/admin/templates/admin/invalid_setup.html

    r3349 r6671  
    22{% load i18n %} 
    33 
    4 {% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title|escape }}</div>{% endblock %} 
     4{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title }}</div>{% endblock %} 
    55 
    66{% block content %} 
  • django/trunk/django/contrib/admin/templates/admin/object_history.html

    r6391 r6671  
    22{% load i18n %} 
    33{% block breadcrumbs %} 
    4 <div class="breadcrumbs"><a href="../../../../">{% trans 'Home' %}</a> &rsaquo; <a href="../../">{{ module_name|escape }}</a> &rsaquo; <a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo; {% trans 'History' %}</div> 
     4<div class="breadcrumbs"><a href="../../../../">{% trans 'Home' %}</a> &rsaquo; <a href="../../">{{ module_name }}</a> &rsaquo; <a href="../">{{ object|truncatewords:"18" }}</a> &rsaquo; {% trans 'History' %}</div> 
    55{% endblock %} 
    66 
     
    2424        <tr> 
    2525            <th scope="row">{{ action.action_time|date:_("DATE_WITH_TIME_FULL") }}</th> 
    26             <td>{{ action.user.username }}{% if action.user.first_name %} ({{ action.user.first_name|escape }} {{ action.user.last_name|escape }}){% endif %}</td> 
    27             <td>{{ action.change_message|escape }}</td> 
     26            <td>{{ action.user.username }}{% if action.user.first_name %} ({{ action.user.first_name }} {{ action.user.last_name }}){% endif %}</td> 
     27            <td>{{ action.change_message }}</td> 
    2828        </tr> 
    2929        {% endfor %} 
  • django/trunk/django/contrib/admin/templates/admin/pagination.html

    r3349 r6671  
    77{% endfor %} 
    88{% endif %} 
    9 {{ cl.result_count }} {% ifequal cl.result_count 1 %}{{ cl.opts.verbose_name|escape }}{% else %}{{ cl.opts.verbose_name_plural|escape }}{% endifequal %} 
     9{{ cl.result_count }} {% ifequal cl.result_count 1 %}{{ cl.opts.verbose_name|escape }}{% else %}{{ cl.opts.verbose_name_plural }}{% endifequal %} 
    1010{% if show_all_url %}&nbsp;&nbsp;<a href="{{ show_all_url }}" class="showall">{% trans 'Show all' %}</a>{% endif %} 
    1111</p> 
  • django/trunk/django/contrib/admin/templates/widget/foreign.html

    r3352 r6671  
    1616    {% endif %} 
    1717    {% if bound_field.raw_id_admin %} 
    18         {% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14"|escape }}</strong>{% endif %} 
     18        {% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14" }}</strong>{% endif %} 
    1919    {% endif %} 
    2020{% endif %} 
  • django/trunk/django/contrib/admin/templates/widget/one_to_one.html

    r3352 r6671  
    11{% if add %}{% include "widget/foreign.html" %}{% endif %} 
    2 {% if change %}{% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14"|escape }}</strong>{% endif %}{% endif %} 
     2{% if change %}{% if bound_field.existing_display %}&nbsp;<strong>{{ bound_field.existing_display|truncatewords:"14" }}</strong>{% endif %}{% endif %} 
  • django/trunk/django/contrib/admin/templatetags/adminapplist.py

    r5609 r6671  
    22from django.db.models import get_models 
    33from django.utils.encoding import force_unicode 
     4from django.utils.safestring import mark_safe 
    45 
    56register = template.Library() 
     
    3940                            model_list.append({ 
    4041                                'name': force_unicode(capfirst(m._meta.verbose_name_plural)), 
    41                                 'admin_url': u'%s/%s/' % (force_unicode(app_label), m.__name__.lower()), 
     42                                'admin_url': mark_safe(u'%s/%s/' % (force_unicode(app_label), m.__name__.lower())), 
    4243                                'perms': perms, 
    4344                            }) 
  • django/trunk/django/contrib/admin/templatetags/admin_list.py

    r5694 r6671  
    55from django.db import models 
    66from django.utils import dateformat 
    7 from django.utils.html import escape 
     7from django.utils.html import escape, conditional_escape 
    88from django.utils.text import capfirst 
     9from django.utils.safestring import mark_safe 
    910from django.utils.translation import get_date_formats, get_partial_date_formats, ugettext as _ 
    1011from django.utils.encoding import smart_unicode, smart_str, force_unicode 
     
    2021        return u'... ' 
    2122    elif i == cl.page_num: 
    22         return u'<span class="this-page">%d</span> ' % (i+1
     23        return mark_safe(u'<span class="this-page">%d</span> ' % (i+1)
    2324    else: 
    24         return u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1
     25        return mark_safe(u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1)
    2526paginator_number = register.simple_tag(paginator_number) 
    2627 
     
    118119def _boolean_icon(field_val): 
    119120    BOOLEAN_MAPPING = {True: 'yes', False: 'no', None: 'unknown'} 
    120     return u'<img src="%simg/admin/icon-%s.gif" alt="%s" />' % (settings.ADMIN_MEDIA_PREFIX, BOOLEAN_MAPPING[field_val], field_val
     121    return mark_safe(u'<img src="%simg/admin/icon-%s.gif" alt="%s" />' % (settings.ADMIN_MEDIA_PREFIX, BOOLEAN_MAPPING[field_val], field_val)
    121122 
    122123def items_for_result(cl, result): 
     
    194195            # Problem cases are long ints (23L) and non-ASCII strings. 
    195196            result_id = repr(force_unicode(getattr(result, pk)))[1:] 
    196             yield (u'<%s%s><a href="%s"%s>%s</a></%s>' % \ 
    197                 (table_tag, row_class, url, (cl.is_popup and ' onclick="opener.dismissRelatedLookupPopup(window, %s); return false;"' % result_id or ''), result_repr, table_tag)) 
    198         else: 
    199             yield (u'<td%s>%s</td>' % (row_class, result_repr)) 
     197            yield mark_safe(u'<%s%s><a href="%s"%s>%s</a></%s>' % \ 
     198                (table_tag, row_class, url, (cl.is_popup and ' onclick="opener.dismissRelatedLookupPopup(window, %s); return false;"' % result_id or ''), conditional_escape(result_repr), table_tag)) 
     199        else: 
     200            yield mark_safe(u'<td%s>%s</td>' % (row_class, conditional_escape(result_repr))) 
    200201 
    201202def results(cl): 
     
    221222        year_month_format, month_day_format = get_partial_date_formats() 
    222223 
    223         link = lambda d: cl.get_query_string(d, [field_generic]
     224        link = lambda d: mark_safe(cl.get_query_string(d, [field_generic])
    224225 
    225226        if year_lookup and month_lookup and day_lookup: 
  • django/trunk/django/contrib/admin/templatetags/admin_modify.py

    r6399 r6671  
    44from django.utils.text import capfirst 
    55from django.utils.encoding import force_unicode 
     6from django.utils.safestring import mark_safe 
     7from django.utils.html import escape 
    68from django.db import models 
    79from django.db.models.fields import Field 
     
    3335    if not absolute_url_re.match(script_path): 
    3436        script_path = '%s%s' % (settings.ADMIN_MEDIA_PREFIX, script_path) 
    35     return u'<script type="text/javascript" src="%s"></script>' % script_path 
     37    return mark_safe(u'<script type="text/javascript" src="%s"></script>' 
     38            % script_path) 
    3639include_admin_script = register.simple_tag(include_admin_script) 
    3740 
     
    6467        colon = ":" 
    6568    class_str = class_names and u' class="%s"' % u' '.join(class_names) or u'' 
    66     return u'<label for="%s"%s>%s%s</label> ' % (bound_field.element_id, class_str, \ 
    67         force_unicode(capfirst(bound_field.field.verbose_name)), colon) 
     69    return mark_safe(u'<label for="%s"%s>%s%s</label> ' % 
     70            (bound_field.element_id, class_str, 
     71            escape(force_unicode(capfirst(bound_field.field.verbose_name))), 
     72            colon)) 
    6873field_label = register.simple_tag(field_label) 
    6974 
     
    194199                     ' if(!e._changed) { e.value = URLify(%s, %s);} }; ' % ( 
    195200                     f, field.name, add_values, field.max_length)) 
    196     return u''.join(t
     201    return mark_safe(u''.join(t)
    197202auto_populated_field_script = register.simple_tag(auto_populated_field_script) 
    198203 
     
    200205    f = bound_field.field 
    201206    if f.rel and isinstance(f.rel, models.ManyToManyRel) and f.rel.filter_interface: 
    202         return u'<script type="text/javascript">addEvent(window, "load", function(e) {' \ 
     207        return mark_safe(u'<script type="text/javascript">addEvent(window, "load", function(e) {' \ 
    203208              ' SelectFilter.init("id_%s", "%s", %s, "%s"); });</script>\n' % ( 
    204               f.name, f.verbose_name.replace('"', '\\"'), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX
     209              f.name, escape(f.verbose_name.replace('"', '\\"')), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX)
    205210    else: 
    206211        return '' 
  • django/trunk/django/contrib/admin/utils.py

    r4265 r6671  
    44from email.Parser import HeaderParser 
    55from email.Errors import HeaderParseError 
     6from django.utils.safestring import mark_safe 
    67try: 
    78    import docutils.core 
     
    6768                destination_path=None, writer_name='html', 
    6869                settings_overrides=overrides) 
    69     return parts['fragment'] 
     70    return mark_safe(parts['fragment']) 
    7071 
    7172# 
  • django/trunk/django/contrib/admin/views/decorators.py

    r5609 r6671  
    55from django.shortcuts import render_to_response 
    66from django.utils.translation import ugettext_lazy, ugettext as _ 
     7from django.utils.safestring import mark_safe 
    78import base64, datetime, md5 
    89import cPickle as pickle 
     
    2324    return render_to_response('admin/login.html', { 
    2425        'title': _('Log in'), 
    25         'app_path': request.path
     26        'app_path': mark_safe(request.path)
    2627        'post_data': post_data, 
    2728        'error_message': error_message 
  • django/trunk/django/contrib/admin/views/doc.py

    r6296 r6671  
    1111from django.contrib.sites.models import Site 
    1212from django.utils.translation import ugettext as _ 
     13from django.utils.safestring import mark_safe 
    1314import inspect, os, re 
    1415 
     
    3031    admin_root = request.path[:-len('doc/bookmarklets/')] 
    3132    return render_to_response('admin_doc/bookmarklets.html', { 
    32         'admin_url': "%s://%s%s" % (request.is_secure() and 'https' or 'http', request.get_host(), admin_root), 
     33        'admin_url': mark_safe("%s://%s%s" % (request.is_secure() and 'https' or 'http', request.get_host(), admin_root)), 
    3334    }, context_instance=RequestContext(request)) 
    3435bookmarklets = staff_member_required(bookmarklets) 
  • django/trunk/django/contrib/admin/views/main.py

    r6360 r6671  
    1515from django.utils.encoding import force_unicode, smart_str 
    1616from django.utils.translation import ugettext as _ 
     17from django.utils.safestring import mark_safe 
    1718import operator 
    1819 
     
    137138 
    138139        if field.rel: 
    139             self.related_url = u'../../../%s/%s/' % (field.rel.to._meta.app_label, field.rel.to._meta.object_name.lower()) 
     140            self.related_url = mark_safe(u'../../../%s/%s/' 
     141                    % (field.rel.to._meta.app_label, 
     142                        field.rel.to._meta.object_name.lower())) 
    140143 
    141144    def original_value(self): 
     
    217220        'ordered_objects': ordered_objects, 
    218221        'inline_related_objects': inline_related_objects, 
    219         'form_url': form_url
     222        'form_url': mark_safe(form_url)
    220223        'opts': opts, 
    221224        'content_type_id': ContentType.objects.get_for_model(model).id, 
     
    437440                    # Don't display link to edit, because it either has no 
    438441                    # admin or is edited inline. 
    439                     nh(deleted_objects, current_depth, [u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), sub_obj), []]) 
     442                    nh(deleted_objects, current_depth, [mark_safe(u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), sub_obj)), []]) 
    440443                else: 
    441444                    # Display a link to the admin page. 
    442                     nh(deleted_objects, current_depth, [u'%s: <a href="../../../../%s/%s/%s/">%s</a>' % \ 
    443                         (force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), 
    444                         sub_obj._get_pk_val(), sub_obj), []]) 
     445                    nh(deleted_objects, current_depth, [mark_safe(u'%s: <a href="../../../../%s/%s/%s/">%s</a>' % 
     446                        (escape(force_unicode(capfirst(related.opts.verbose_name))), 
     447                            related.opts.app_label, 
     448                            related.opts.object_name.lower(), 
     449                            sub_obj._get_pk_val(), sub_obj)), []]) 
    445450                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2) 
    446451        else: 
     
    454459                else: 
    455460                    # Display a link to the admin page. 
    456                     nh(deleted_objects, current_depth, [u'%s: <a href="../../../../%s/%s/%s/">%s</a>' % \ 
    457                         (force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(sub_obj)), []]) 
     461                    nh(deleted_objects, current_depth, [mark_safe(u'%s: <a href="../../../../%s/%s/%s/">%s</a>' % \ 
     462                        (escape(force_unicode(capfirst(related.opts.verbose_name))), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(sub_obj))), []]) 
    458463                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2) 
    459464            # If there were related objects, and the user doesn't have 
     
    486491                    # Display a link to the admin page. 
    487492                    nh(deleted_objects, current_depth, [ 
    488                         (_('One or more %(fieldname)s in %(name)s:') % {'fieldname': force_unicode(related.field.verbose_name), 'name': force_unicode(related.opts.verbose_name)}) + \ 
     493                        mark_safe((_('One or more %(fieldname)s in %(name)s:') % {'fieldname': escape(force_unicode(related.field.verbose_name)), 'name': escape(force_unicode(related.opts.verbose_name))}) + \ 
    489494                        (u' <a href="../../../../%s/%s/%s/">%s</a>' % \ 
    490                             (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(sub_obj))), []]) 
     495                            (related.opts.app_label, related.opts.module_name, sub_obj._get_pk_val(), escape(sub_obj)))), []]) 
    491496        # If there were related objects, and the user doesn't have 
    492497        # permission to change them, add the missing perm to perms_needed. 
     
    508513    # Populate deleted_objects, a data structure of all related objects that 
    509514    # will also be deleted. 
    510     deleted_objects = [u'%s: <a href="../../%s/">%s</a>' % (force_unicode(capfirst(opts.verbose_name)), force_unicode(object_id), escape(obj)), []] 
     515    deleted_objects = [mark_safe(u'%s: <a href="../../%s/">%s</a>' % (escape(force_unicode(capfirst(opts.verbose_name))), force_unicode(object_id), escape(obj))), []] 
    511516    perms_needed = set() 
    512517    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1) 
     
    605610            elif v is not None: 
    606611                p[k] = v 
    607         return '?' + '&amp;'.join([u'%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20'
     612        return mark_safe('?' + '&amp;'.join([u'%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20')
    608613 
    609614    def get_results(self, request): 
  • django/trunk/django/contrib/csrf/middleware.py

    r6038 r6671  
    88from django.conf import settings 
    99from django.http import HttpResponseForbidden 
     10from django.utils.safestring import mark_safe 
    1011import md5 
    1112import re 
    1213import itertools 
    1314 
    14 _ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>' 
     15_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') 
    1516 
    1617_POST_FORM_RE = \ 
     
    8384            def add_csrf_field(match): 
    8485                """Returns the matched <form> tag plus the added <input> element""" 
    85                 return match.group() + "<div style='display:none;'>" + \ 
     86                return mark_safe(match.group() + "<div style='display:none;'>" + \ 
    8687                "<input type='hidden' " + idattributes.next() + \ 
    8788                " name='csrfmiddlewaretoken' value='" + csrf_token + \ 
    88                 "' /></div>" 
     89                "' /></div>") 
    8990 
    9091            # Modify any POST forms 
  • django/trunk/django/contrib/databrowse/datastructures.py

    r5947 r6671  
    99from django.utils.translation import get_date_formats 
    1010from django.utils.encoding import smart_unicode, smart_str, iri_to_uri 
     11from django.utils.safestring import mark_safe 
    1112from django.db.models.query import QuerySet 
    1213 
     
    2930 
    3031    def url(self): 
    31         return '%s%s/%s/' % (self.site.root_url, self.model._meta.app_label, self.model._meta.module_name
     32        return mark_safe('%s%s/%s/' % (self.site.root_url, self.model._meta.app_label, self.model._meta.module_name)
    3233 
    3334    def objects(self, **kwargs): 
     
    6970    def url(self): 
    7071        if self.field.choices: 
    71             return '%s%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name
     72            return mark_safe('%s%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name)
    7273        elif self.field.rel: 
    73             return '%s%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name
     74            return mark_safe('%s%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name)
    7475 
    7576class EasyChoice(object): 
     
    8283 
    8384    def url(self): 
    84         return '%s%s/%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.field.name, iri_to_uri(self.value)) 
     85        return mark_safe('%s%s/%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.field.name, iri_to_uri(self.value))) 
    8586 
    8687class EasyInstance(object): 
     
    185186                lst = [] 
    186187                for value in self.values(): 
    187                     url = '%s%s/%s/objects/%s/' % (self.model.site.root_url, m.model._meta.app_label, m.model._meta.module_name, iri_to_uri(value._get_pk_val())) 
     188                    url = mark_safe('%s%s/%s/objects/%s/' % (self.model.site.root_url, m.model._meta.app_label, m.model._meta.module_name, iri_to_uri(value._get_pk_val()))) 
    188189                    lst.append((smart_unicode(value), url)) 
    189190            else: 
     
    192193            lst = [] 
    193194            for value in self.values(): 
    194                 url = '%s%s/%s/fields/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name, iri_to_uri(self.raw_value)) 
     195                url = mark_safe('%s%s/%s/fields/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name, iri_to_uri(self.raw_value))) 
    195196                lst.append((value, url)) 
    196197        elif isinstance(self.field, models.URLField): 
  • django/trunk/django/contrib/databrowse/plugins/calendars.py

    r5947 r6671  
    66from django.utils.text import capfirst 
    77from django.utils.translation import get_date_formats 
     8from django.utils.encoding import force_unicode 
     9from django.utils.safestring import mark_safe 
    810from django.views.generic import date_based 
    9 from django.utils.encoding import force_unicode 
    1011import datetime 
    1112import time 
     
    3031        if not fields: 
    3132            return u'' 
    32         return u'<p class="filter"><strong>View calendar by:</strong> %s</p>' % \ 
    33             u', '.join(['<a href="calendars/%s/">%s</a>' % (f.name, force_unicode(capfirst(f.verbose_name))) for f in fields.values()]) 
     33        return mark_safe(u'<p class="filter"><strong>View calendar by:</strong> %s</p>' % \ 
     34            u', '.join(['<a href="calendars/%s/">%s</a>' % (f.name, force_unicode(capfirst(f.verbose_name))) for f in fields.values()])) 
    3435 
    3536    def urls(self, plugin_name, easy_instance_field): 
    3637        if isinstance(easy_instance_field.field, models.DateField): 
    37             return [u'%s%s/%s/%s/%s/%s/' % (easy_instance_field.model.url(), 
     38            return [mark_safe(u'%s%s/%s/%s/%s/%s/' % ( 
     39                easy_instance_field.model.url(), 
    3840                plugin_name, easy_instance_field.field.name, 
    3941                easy_instance_field.raw_value.year, 
    4042                easy_instance_field.raw_value.strftime('%b').lower(), 
    41                 easy_instance_field.raw_value.day)
     43                easy_instance_field.raw_value.day))
    4244 
    4345    def model_view(self, request, model_databrowse, url): 
  • django/trunk/django/contrib/databrowse/plugins/fieldchoices.py

    r5876 r6671  
    66from django.utils.text import capfirst 
    77from django.utils.encoding import smart_str, force_unicode 
     8from django.utils.safestring import mark_safe 
    89from django.views.generic import date_based 
    910import datetime 
     
    3334        if not fields: 
    3435            return u'' 
    35         return u'<p class="filter"><strong>View by:</strong> %s</p>' % \ 
    36             u', '.join(['<a href="fields/%s/">%s</a>' % (f.name, force_unicode(capfirst(f.verbose_name))) for f in fields.values()]) 
     36        return mark_safe(u'<p class="filter"><strong>View by:</strong> %s</p>' % \ 
     37            u', '.join(['<a href="fields/%s/">%s</a>' % (f.name, force_unicode(capfirst(f.verbose_name))) for f in fields.values()])) 
    3738 
    3839    def urls(self, plugin_name, easy_instance_field): 
    3940        if easy_instance_field.field in self.field_dict(easy_instance_field.model.model).values(): 
    4041            field_value = smart_str(easy_instance_field.raw_value) 
    41             return [u'%s%s/%s/%s/' % (easy_instance_field.model.url(), 
     42            return [mark_safe(u'%s%s/%s/%s/' % ( 
     43                easy_instance_field.model.url(), 
    4244                plugin_name, easy_instance_field.field.name, 
    43                 urllib.quote(field_value, safe=''))
     45                urllib.quote(field_value, safe='')))
    4446 
    4547    def model_view(self, request, model_databrowse, url): 
  • django/trunk/django/contrib/databrowse/sites.py

    r5876 r6671  
    33from django.contrib.databrowse.datastructures import EasyModel, EasyChoice 
    44from django.shortcuts import render_to_response 
     5from django.utils.safestring import mark_safe 
    56 
    67class AlreadyRegistered(Exception): 
     
    6162    def main_view(self, request): 
    6263        easy_model = EasyModel(self.site, self.model) 
    63         html_snippets = u'\n'.join([p.model_index_html(request, self.model, self.site) for p in self.plugins.values()]
     64        html_snippets = mark_safe(u'\n'.join([p.model_index_html(request, self.model, self.site) for p in self.plugins.values()])
    6465        return render_to_response('databrowse/model_detail.html', { 
    6566            'model': easy_model, 
  • django/trunk/django/contrib/flatpages/views.py