Changeset 6671

Timestamp:

11/14/07 06:58:53 (2 years ago)

Author:

mtredinnick

Message:

Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359

See documentation in templates.txt and templates_python.txt for how everything
works.

Backwards incompatible if you're inserting raw HTML output via template variables.

Based on an original design from Simon Willison and with debugging help from Michael Radziej.

Files:

• django/trunk/django/contrib/admin/filterspecs.py (modified) (3 diffs)
• django/trunk/django/contrib/admin/models.py (modified) (2 diffs)
• django/trunk/django/contrib/admin/templates/admin/base_site.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/change_form.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/date_hierarchy.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/delete_confirmation.html (modified) (2 diffs)
• django/trunk/django/contrib/admin/templates/admin_doc/model_detail.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/edit_inline_stacked.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/edit_inline_tabular.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/index.html (modified) (2 diffs)
• django/trunk/django/contrib/admin/templates/admin/invalid_setup.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/admin/object_history.html (modified) (2 diffs)
• django/trunk/django/contrib/admin/templates/admin/pagination.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/widget/foreign.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templates/widget/one_to_one.html (modified) (1 diff)
• django/trunk/django/contrib/admin/templatetags/adminapplist.py (modified) (2 diffs)
• django/trunk/django/contrib/admin/templatetags/admin_list.py (modified) (5 diffs)
• django/trunk/django/contrib/admin/templatetags/admin_modify.py (modified) (5 diffs)
• django/trunk/django/contrib/admin/utils.py (modified) (2 diffs)
• django/trunk/django/contrib/admin/views/decorators.py (modified) (2 diffs)
• django/trunk/django/contrib/admin/views/doc.py (modified) (2 diffs)
• django/trunk/django/contrib/admin/views/main.py (modified) (8 diffs)
• django/trunk/django/contrib/csrf/middleware.py (modified) (2 diffs)
• django/trunk/django/contrib/databrowse/datastructures.py (modified) (6 diffs)
• django/trunk/django/contrib/databrowse/plugins/calendars.py (modified) (2 diffs)
• django/trunk/django/contrib/databrowse/plugins/fieldchoices.py (modified) (2 diffs)
• django/trunk/django/contrib/databrowse/sites.py (modified) (2 diffs)
• django/trunk/django/contrib/flatpages/views.py (modified) (2 diffs)
• django/trunk/django/contrib/humanize/templatetags/humanize.py (modified) (4 diffs)
• django/trunk/django/contrib/markup/templatetags/markup.py (modified) (4 diffs)
• django/trunk/django/contrib/markup/tests.py (modified) (2 diffs)
• django/trunk/django/contrib/sitemaps/templates/sitemap_index.xml (modified) (1 diff)
• django/trunk/django/contrib/sitemaps/templates/sitemap.xml (modified) (2 diffs)
• django/trunk/django/newforms/forms.py (modified) (4 diffs)
• django/trunk/django/newforms/util.py (modified) (3 diffs)
• django/trunk/django/newforms/widgets.py (modified) (14 diffs)
• django/trunk/django/oldforms/__init__.py (modified) (13 diffs)
• django/trunk/django/template/context.py (modified) (2 diffs)
• django/trunk/django/template/defaultfilters.py (modified) (48 diffs)
• django/trunk/django/template/defaulttags.py (modified) (4 diffs)
• django/trunk/django/template/__init__.py (modified) (11 diffs)
• django/trunk/django/utils/encoding.py (modified) (2 diffs)
• django/trunk/django/utils/html.py (modified) (5 diffs)
• django/trunk/django/utils/safestring.py (added)
• django/trunk/django/views/debug.py (modified) (14 diffs)
• django/trunk/docs/templates_python.txt (modified) (7 diffs)
• django/trunk/docs/templates.txt (modified) (7 diffs)
• django/trunk/tests/regressiontests/defaultfilters/tests.py (modified) (1 diff)
• django/trunk/tests/regressiontests/forms/forms.py (modified) (1 diff)
• django/trunk/tests/regressiontests/forms/tests.py (modified) (1 diff)
• django/trunk/tests/regressiontests/humanize/tests.py (modified) (2 diffs)
• django/trunk/tests/regressiontests/templates/filters.py (added)
• django/trunk/tests/regressiontests/templates/tests.py (modified) (5 diffs)

django/trunk/django/contrib/admin/filterspecs.py

@@ -10 +10 @@
-from django.utils.encoding import smart_unicode, iri_to_uri
-from django.utils.translation import ugettext as _
+from django.utils.html import escape
+from django.utils.safestring import mark_safe
-import datetime
-
@@ -40 +42 @@
-        t = []
-        if self.has_output():
-self.title(
+escape(self.title()
-
-            for choice in self.choices(cl):
@@ -48 +50 @@
-                     choice['display']))
-            t.append('</ul>\n\n')
-"".join(t
+mark_safe("".join(t)
-
-class RelatedFilterSpec(FilterSpec):

django/trunk/django/contrib/admin/models.py

@@ -4 +4 @@
-from django.utils.translation import ugettext_lazy as _
-from django.utils.encoding import smart_unicode
+from django.utils.safestring import mark_safe
-
-ADDITION = 1
@@ -50 +51 @@
-        This is relative to the Django admin index page.
-        """
-u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id
+mark_safe(u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id)

django/trunk/django/contrib/admin/templates/admin/base_site.html

@@ -2 +2 @@
-{% load i18n %}
-
-|escape
+
-
-{% block branding %}

django/trunk/django/contrib/admin/templates/admin/change_form.html

@@ -11 +11 @@
-<div class="breadcrumbs">
-     <a href="../../../">{% trans "Home" %}</a> &rsaquo;
-|escape
-|escape }}{% else %}{{ original|truncatewords:"18"|escape
+
+ }}{% else %}{{ original|truncatewords:"18"
-</div>
-{% endif %}{% endblock %}

django/trunk/django/contrib/admin/templates/admin/date_hierarchy.html

@@ -2 +2 @@
-<div class="xfull">
-<ul class="toplinks">
-|escape
+
-{% for choice in choices %}
-|escape
+
-{% endfor %}
-</ul><br class="clear" />

django/trunk/django/contrib/admin/templates/admin/delete_confirmation.html

@@ -4 +4 @@
-<div class="breadcrumbs">
-     <a href="../../../../">{% trans "Home" %}</a> &rsaquo;
-|escape
+
-     <a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo;
-     {% trans 'Delete' %}
@@ -14 +14 @@
-    <ul>
-    {% for obj in perms_lacking %}
-|escape
+
-    {% endfor %}
-    </ul>

django/trunk/django/contrib/admin/templates/admin_doc/model_detail.html

@@ -9 +9 @@
-{% endblock %}
-
-|escape
+
-
-|escape
+
-
-{% block content %}
-<div id="content-main">
-|escape
+
-
-{% if description %}
-escape|
+
-{% endif %}
-

django/trunk/django/contrib/admin/templates/admin/edit_inline_stacked.html

@@ -2 +2 @@
-<fieldset class="module aligned">
-   {% for fcw in bound_related_object.form_field_collection_wrappers %}
-|escape
+
-      {% if bound_related_object.show_url %}{% if fcw.obj.original %}
-      <p><a href="/r/{{ fcw.obj.original.content_type_id }}/{{ fcw.obj.original.id }}/">View on site</a></p>

django/trunk/django/contrib/admin/templates/admin/edit_inline_tabular.html

@@ -1 +1 @@
-{% load admin_modify %}
-<fieldset class="module">
-|escape
+
-   <thead><tr>
-   {% for fw in bound_related_object.field_wrapper_list %}
-      {% if fw.needs_header %}
-|escape
+
-      {% endif %}
-   {% endfor %}

django/trunk/django/contrib/admin/templates/admin/index.html

@@ -20 +20 @@
-            <tr>
-            {% if model.perms.change %}
-|escape
+
-            {% else %}
-|escape
+
-            {% endif %}
-
@@ -59 +59 @@
-            <ul class="actionlist">
-            {% for entry in admin_log %}
-|escape
+
-            {% endfor %}
-            </ul>

django/trunk/django/contrib/admin/templates/admin/invalid_setup.html

@@ -2 +2 @@
-{% load i18n %}
-
-|escape
+
-
-{% block content %}

django/trunk/django/contrib/admin/templates/admin/object_history.html

@@ -2 +2 @@
-{% load i18n %}
-{% block breadcrumbs %}
-|escape }}</a> &rsaquo; <a href="../">{{ object|escape
+ }}</a> &rsaquo; <a href="../">{{ object
-{% endblock %}
-
@@ -24 +24 @@
-        <tr>
-            <th scope="row">{{ action.action_time|date:_("DATE_WITH_TIME_FULL") }}</th>
-|escape }} {{ action.user.last_name|escap
-|escape
+ }} {{ action.user.last_nam
+
-        </tr>
-        {% endfor %}

django/trunk/django/contrib/admin/templates/admin/pagination.html

@@ -7 +7 @@
-{% endfor %}
-{% endif %}
-|escape
+
-{% if show_all_url %}&nbsp;&nbsp;<a href="{{ show_all_url }}" class="showall">{% trans 'Show all' %}</a>{% endif %}
-</p>

django/trunk/django/contrib/admin/templates/widget/foreign.html

@@ -16 +16 @@
-    {% endif %}
-    {% if bound_field.raw_id_admin %}
-|escape
+
-    {% endif %}
-{% endif %}

django/trunk/django/contrib/admin/templates/widget/one_to_one.html

@@ -1 +1 @@
-{% if add %}{% include "widget/foreign.html" %}{% endif %}
-|escape
+

django/trunk/django/contrib/admin/templatetags/adminapplist.py

@@ -2 +2 @@
-from django.db.models import get_models
-from django.utils.encoding import force_unicode
+from django.utils.safestring import mark_safe
-
-register = template.Library()
@@ -39 +40 @@
-                            model_list.append({
-                                'name': force_unicode(capfirst(m._meta.verbose_name_plural)),
-u'%s/%s/' % (force_unicode(app_label), m.__name__.lower(
+mark_safe(u'%s/%s/' % (force_unicode(app_label), m.__name__.lower()
-                                'perms': perms,
-                            })

django/trunk/django/contrib/admin/templatetags/admin_list.py

@@ -5 +5 @@
-from django.db import models
-from django.utils import dateformat
-
+, conditional_escape
-from django.utils.text import capfirst
+from django.utils.safestring import mark_safe
-from django.utils.translation import get_date_formats, get_partial_date_formats, ugettext as _
-from django.utils.encoding import smart_unicode, smart_str, force_unicode
@@ -20 +21 @@
-        return u'... '
-    elif i == cl.page_num:
-u'<span class="this-page">%d</span> ' % (i+1
+mark_safe(u'<span class="this-page">%d</span> ' % (i+1)
-    else:
-u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1
+mark_safe(u'<a href="%s"%s>%d</a> ' % (cl.get_query_string({PAGE_VAR: i}), (i == cl.paginator.pages-1 and ' class="end"' or ''), i+1)
-paginator_number = register.simple_tag(paginator_number)
-
@@ -118 +119 @@
-def _boolean_icon(field_val):
-    BOOLEAN_MAPPING = {True: 'yes', False: 'no', None: 'unknown'}
-u'<img src="%simg/admin/icon-%s.gif" alt="%s" />' % (settings.ADMIN_MEDIA_PREFIX, BOOLEAN_MAPPING[field_val], field_val
+mark_safe(u'<img src="%simg/admin/icon-%s.gif" alt="%s" />' % (settings.ADMIN_MEDIA_PREFIX, BOOLEAN_MAPPING[field_val], field_val)
-
-def items_for_result(cl, result):
@@ -194 +195 @@
-            # Problem cases are long ints (23L) and non-ASCII strings.
-            result_id = repr(force_unicode(getattr(result, pk)))[1:]
-
-result_repr
-
-(u'<td%s>%s</td>' % (row_class, result_repr
+mark_safe
+conditional_escape(result_repr)
+
+mark_safe(u'<td%s>%s</td>' % (row_class, conditional_escape(result_repr)
-
-def results(cl):
@@ -221 +222 @@
-        year_month_format, month_day_format = get_partial_date_formats()
-
-cl.get_query_string(d, [field_generic]
+mark_safe(cl.get_query_string(d, [field_generic])
-
-        if year_lookup and month_lookup and day_lookup:

django/trunk/django/contrib/admin/templatetags/admin_modify.py

@@ -4 +4 @@
-from django.utils.text import capfirst
-from django.utils.encoding import force_unicode
+from django.utils.safestring import mark_safe
+from django.utils.html import escape
-from django.db import models
-from django.db.models.fields import Field
@@ -33 +35 @@
-    if not absolute_url_re.match(script_path):
-        script_path = '%s%s' % (settings.ADMIN_MEDIA_PREFIX, script_path)
-
+
+
-include_admin_script = register.simple_tag(include_admin_script)
-
@@ -64 +67 @@
-        colon = ":"
-    class_str = class_names and u' class="%s"' % u' '.join(class_names) or u''
-
-
+
+
+
+
-field_label = register.simple_tag(field_label)
-
@@ -194 +199 @@
-                     ' if(!e._changed) { e.value = URLify(%s, %s);} }; ' % (
-                     f, field.name, add_values, field.max_length))
-u''.join(t
+mark_safe(u''.join(t)
-auto_populated_field_script = register.simple_tag(auto_populated_field_script)
-
@@ -200 +205 @@
-    f = bound_field.field
-    if f.rel and isinstance(f.rel, models.ManyToManyRel) and f.rel.filter_interface:
-
+mark_safe(
-              ' SelectFilter.init("id_%s", "%s", %s, "%s"); });</script>\n' % (
-f.verbose_name.replace('"', '\\"'), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX
+escape(f.verbose_name.replace('"', '\\"')), f.rel.filter_interface-1, settings.ADMIN_MEDIA_PREFIX)
-    else:
-        return ''

django/trunk/django/contrib/admin/utils.py

@@ -4 +4 @@
-from email.Parser import HeaderParser
-from email.Errors import HeaderParseError
+from django.utils.safestring import mark_safe
-try:
-    import docutils.core
@@ -67 +68 @@
-                destination_path=None, writer_name='html',
-                settings_overrides=overrides)
-parts['fragment']
+mark_safe(parts['fragment'])
-
-#

django/trunk/django/contrib/admin/views/decorators.py

@@ -5 +5 @@
-from django.shortcuts import render_to_response
-from django.utils.translation import ugettext_lazy, ugettext as _
+from django.utils.safestring import mark_safe
-import base64, datetime, md5
-import cPickle as pickle
@@ -23 +24 @@
-    return render_to_response('admin/login.html', {
-        'title': _('Log in'),
-request.path
+mark_safe(request.path)
-        'post_data': post_data,
-        'error_message': error_message

django/trunk/django/contrib/admin/views/doc.py

@@ -11 +11 @@
-from django.contrib.sites.models import Site
-from django.utils.translation import ugettext as _
+from django.utils.safestring import mark_safe
-import inspect, os, re
-
@@ -30 +31 @@
-    admin_root = request.path[:-len('doc/bookmarklets/')]
-    return render_to_response('admin_doc/bookmarklets.html', {
-"%s://%s%s" % (request.is_secure() and 'https' or 'http', request.get_host(), admin_root
+mark_safe("%s://%s%s" % (request.is_secure() and 'https' or 'http', request.get_host(), admin_root)
-    }, context_instance=RequestContext(request))
-bookmarklets = staff_member_required(bookmarklets)

django/trunk/django/contrib/admin/views/main.py

@@ -15 +15 @@
-from django.utils.encoding import force_unicode, smart_str
-from django.utils.translation import ugettext as _
+from django.utils.safestring import mark_safe
-import operator
-
@@ -137 +138 @@
-
-        if field.rel:
-
+
+
+
-
-    def original_value(self):
@@ -217 +220 @@
-        'ordered_objects': ordered_objects,
-        'inline_related_objects': inline_related_objects,
-form_url
+mark_safe(form_url)
-        'opts': opts,
-        'content_type_id': ContentType.objects.get_for_model(model).id,
@@ -437 +440 @@
-                    # Don't display link to edit, because it either has no
-                    # admin or is edited inline.
-u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), sub_obj
+mark_safe(u'%s: %s' % (force_unicode(capfirst(related.opts.verbose_name)), sub_obj)
-                else:
-                    # Display a link to the admin page.
-
-
-
+
+
+
+
+
-                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
-        else:
@@ -454 +459 @@
-                else:
-                    # Display a link to the admin page.
-
-force_unicode(capfirst(related.opts.verbose_name)), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(sub_obj
+mark_safe(
+escape(force_unicode(capfirst(related.opts.verbose_name))), related.opts.app_label, related.opts.object_name.lower(), sub_obj._get_pk_val(), escape(sub_obj)
-                _get_deleted_objects(deleted_objects, perms_needed, user, sub_obj, related.opts, current_depth+2)
-            # If there were related objects, and the user doesn't have
@@ -486 +491 @@
-                    # Display a link to the admin page.
-                    nh(deleted_objects, current_depth, [
-(_('One or more %(fieldname)s in %(name)s:') % {'fieldname': force_unicode(related.field.verbose_name), 'name': force_unicode(related.opts.verbose_name
+mark_safe((_('One or more %(fieldname)s in %(name)s:') % {'fieldname': escape(force_unicode(related.field.verbose_name)), 'name': escape(force_unicode(related.opts.verbose_name)
-                        (u' <a href="../../../../%s/%s/%s/">%s</a>' % \
-
+)
-        # If there were related objects, and the user doesn't have
-        # permission to change them, add the missing perm to perms_needed.
@@ -508 +513 @@
-    # Populate deleted_objects, a data structure of all related objects that
-    # will also be deleted.
-u'%s: <a href="../../%s/">%s</a>' % (force_unicode(capfirst(opts.verbose_name)), force_unicode(object_id), escape(obj
+mark_safe(u'%s: <a href="../../%s/">%s</a>' % (escape(force_unicode(capfirst(opts.verbose_name))), force_unicode(object_id), escape(obj)
-    perms_needed = set()
-    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
@@ -605 +610 @@
-            elif v is not None:
-                p[k] = v
-'?' + '&amp;'.join([u'%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20'
+mark_safe('?' + '&amp;'.join([u'%s=%s' % (k, v) for k, v in p.items()]).replace(' ', '%20')
-
-    def get_results(self, request):

django/trunk/django/contrib/csrf/middleware.py

@@ -8 +8 @@
-from django.conf import settings
-from django.http import HttpResponseForbidden
+from django.utils.safestring import mark_safe
-import md5
-import re
-import itertools
-
-'<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>'
+mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
-
-_POST_FORM_RE = \
@@ -83 +84 @@
-            def add_csrf_field(match):
-                """Returns the matched <form> tag plus the added <input> element"""
-
+rk_safe(ma
-                "<input type='hidden' " + idattributes.next() + \
-                " name='csrfmiddlewaretoken' value='" + csrf_token + \
-
+)
-
-            # Modify any POST forms

django/trunk/django/contrib/databrowse/datastructures.py

@@ -9 +9 @@
-from django.utils.translation import get_date_formats
-from django.utils.encoding import smart_unicode, smart_str, iri_to_uri
+from django.utils.safestring import mark_safe
-from django.db.models.query import QuerySet
-
@@ -29 +30 @@
-
-    def url(self):
-'%s%s/%s/' % (self.site.root_url, self.model._meta.app_label, self.model._meta.module_name
+mark_safe('%s%s/%s/' % (self.site.root_url, self.model._meta.app_label, self.model._meta.module_name)
-
-    def objects(self, **kwargs):
@@ -69 +70 @@
-    def url(self):
-        if self.field.choices:
-'%s%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name
+mark_safe('%s%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name)
-        elif self.field.rel:
-'%s%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name
+mark_safe('%s%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name)
-
-class EasyChoice(object):
@@ -82 +83 @@
-
-    def url(self):
-'%s%s/%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.field.name, iri_to_uri(self.value
+mark_safe('%s%s/%s/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.field.name, iri_to_uri(self.value)
-
-class EasyInstance(object):
@@ -185 +186 @@
-                lst = []
-                for value in self.values():
-'%s%s/%s/objects/%s/' % (self.model.site.root_url, m.model._meta.app_label, m.model._meta.module_name, iri_to_uri(value._get_pk_val(
+mark_safe('%s%s/%s/objects/%s/' % (self.model.site.root_url, m.model._meta.app_label, m.model._meta.module_name, iri_to_uri(value._get_pk_val()
-                    lst.append((smart_unicode(value), url))
-            else:
@@ -192 +193 @@
-            lst = []
-            for value in self.values():
-'%s%s/%s/fields/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name, iri_to_uri(self.raw_value
+mark_safe('%s%s/%s/fields/%s/%s/' % (self.model.site.root_url, self.model.model._meta.app_label, self.model.model._meta.module_name, self.field.name, iri_to_uri(self.raw_value)
-                lst.append((value, url))
-        elif isinstance(self.field, models.URLField):

django/trunk/django/contrib/databrowse/plugins/calendars.py

@@ -6 +6 @@
-from django.utils.text import capfirst
-from django.utils.translation import get_date_formats
+from django.utils.encoding import force_unicode
+from django.utils.safestring import mark_safe
-from django.views.generic import date_based
-from django.utils.encoding import force_unicode
-import datetime
-import time
@@ -30 +31 @@
-        if not fields:
-            return u''
-
-
+mark_safe(
+)
-
-    def urls(self, plugin_name, easy_instance_field):
-        if isinstance(easy_instance_field.field, models.DateField):
-
+
+
-                plugin_name, easy_instance_field.field.name,
-                easy_instance_field.raw_value.year,
-                easy_instance_field.raw_value.strftime('%b').lower(),
-
+)
-
-    def model_view(self, request, model_databrowse, url):

django/trunk/django/contrib/databrowse/plugins/fieldchoices.py

@@ -6 +6 @@
-from django.utils.text import capfirst
-from django.utils.encoding import smart_str, force_unicode
+from django.utils.safestring import mark_safe
-from django.views.generic import date_based
-import datetime
@@ -33 +34 @@
-        if not fields:
-            return u''
-
-
+mark_safe(
+)
-
-    def urls(self, plugin_name, easy_instance_field):
-        if easy_instance_field.field in self.field_dict(easy_instance_field.model.model).values():
-            field_value = smart_str(easy_instance_field.raw_value)
-
+
+
-                plugin_name, easy_instance_field.field.name,
-
+)
-
-    def model_view(self, request, model_databrowse, url):

django/trunk/django/contrib/databrowse/sites.py

@@ -3 +3 @@
-from django.contrib.databrowse.datastructures import EasyModel, EasyChoice
-from django.shortcuts import render_to_response
+from django.utils.safestring import mark_safe
-
-class AlreadyRegistered(Exception):
@@ -61 +62 @@
-    def main_view(self, request):
-        easy_model = EasyModel(self.site, self.model)
-u'\n'.join([p.model_index_html(request, self.model, self.site) for p in self.plugins.values()]
+mark_safe(u'\n'.join([p.model_index_html(request, self.model, self.site) for p in self.plugins.values()])
-        return render_to_response('databrowse/model_detail.html', {
-            'model': easy_model,

django/trunk/django/contrib/flatpages/views.py

@@ -5 +5 @@
-from django.conf import settings
-from django.core.xheaders import populate_xheaders
+from django.utils.safestring import mark_safe
-
-DEFAULT_TEMPLATE = 'flatpages/default.html'
@@ -31 +32 @@
-    else:
-        t = loader.get_template(DEFAULT_TEMPLATE)
+
+    # To avoid having to always use the "|safe" filter in flatpage templates,
+    # mark the title and content as already safe (since they are raw HTML
+    # content in the first place).
+    f.title = mark_safe(f.title)
+    f.content = mark_safe(f.content)
+
-    c = RequestContext(request, {
-        'flatpage': f,

django/trunk/django/contrib/humanize/templatetags/humanize.py

@@ -22 +22 @@
-        return u"%d%s" % (value, t[0])
-    return u'%d%s' % (value, t[value % 10])
+ordinal.is_safe = True
-register.filter(ordinal)
-
@@ -35 +36 @@
-    else:
-        return intcomma(new)
+intcomma.is_safe = True
-register.filter(intcomma)
-
@@ -56 +58 @@
-        return ungettext('%(value).1f trillion', '%(value).1f trillion', new_value) % {'value': new_value}
-    return value
+intword.is_safe = False
-register.filter(intword)
-
@@ -70 +73 @@
-        return value
-    return (_('one'), _('two'), _('three'), _('four'), _('five'), _('six'), _('seven'), _('eight'), _('nine'))[value-1]
+apnumber.is_safe = True
-register.filter(apnumber)
-

django/trunk/django/contrib/markup/templatetags/markup.py

@@ -18 +18 @@
-from django.conf import settings
-from django.utils.encoding import smart_str, force_unicode
+from django.utils.safestring import mark_safe
-
-register = template.Library()
@@ -29 +30 @@
-        return force_unicode(value)
-    else:
-
+
+
-
-def markdown(value):
@@ -39 +41 @@
-        return force_unicode(value)
-    else:
-
+
+
-
-def restructuredtext(value):
@@ -51 +54 @@
-        docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {})
-        parts = publish_parts(source=smart_str(value), writer_name="html4css1", settings_overrides=docutils_settings)
-
+
+
-
-register.filter(textile)

django/trunk/django/contrib/markup/tests.py

@@ -1 +1 @@
-# Quick tests for the markup templatetags (django.contrib.markup)
-
-from django.template import Template, Context, add_to_builtins
-import re
-import unittest
+
+from django.template import Template, Context, add_to_builtins
+from django.utils.html import escape
-
-add_to_builtins('django.contrib.markup.templatetags.markup')
@@ -25 +27 @@
-<p>Paragraph 2 with &#8220;quotes&#8221; and <code>code</code></p>""")
-        else:
-textile_content
+escape(textile_content)
-
-    def test_markdown(self):

django/trunk/django/contrib/sitemaps/templates/sitemap_index.xml

@@ -1 @@
-
+{% autoescape off %}
-<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
-{% for location in sitemaps %}<sitemap><loc>{{ location|escape }}</loc></sitemap>{% endfor %}
-</sitemapindex>
+{% endautoescape %}

django/trunk/django/contrib/sitemaps/templates/sitemap.xml

@@ -1 @@
-
+{% autoescape off %}
-<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
-{% spaceless %}
@@ -12 +12 @@
-{% endspaceless %}
-</urlset>
+{% endautoescape %}

django/trunk/django/newforms/forms.py

@@ -8 +8 @@
-from django.utils.html import escape
-from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode
+from django.utils.safestring import mark_safe
-
-from fields import Field
@@ -119 +120 @@
-                if bf.label:
-                    label = escape(force_unicode(bf.label))
-
+
+
-                    if self.label_suffix:
-                        if label[-1] not in ':?.!':
@@ -137 +139 @@
-            if output:
-                last_row = output[-1]
-
+
+
-                output[-1] = last_row[:-len(row_ender)] + str_hidden + row_ender
-
+
+
+
-                output.append(str_hidden)
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-    def as_table(self):
@@ -304 +309 @@
-            attrs = attrs and flatatt(attrs) or ''
-            contents = '<label for="%s"%s>%s</label>' % (widget.id_for_label(id_), attrs, contents)
-contents
+mark_safe(contents)
-
-    def _is_hidden(self):

django/trunk/django/newforms/util.py

@@ -2 +2 @@
-from django.utils.encoding import smart_unicode, StrAndUnicode, force_unicode
-from django.utils.functional import Promise
+from django.utils.safestring import mark_safe
-
-def flatatt(attrs):
@@ -23 +24 @@
-    def as_ul(self):
-        if not self: return u''
-
+
+
+
-
-    def as_text(self):
@@ -37 +40 @@
-    def as_ul(self):
-        if not self: return u''
-
+
+
-
-    def as_text(self):

django/trunk/django/newforms/widgets.py

@@ -15 +15 @@
-from django.utils.translation import ugettext
-from django.utils.encoding import StrAndUnicode, force_unicode
+from django.utils.safestring import mark_safe
-from util import flatatt
-
@@ -87 +88 @@
-        if value is None: value = ''
-        final_attrs = self.build_attrs(attrs, type=self.input_type, name=name)
-
-
+
+
+
+
-
-class TextInput(Input):
@@ -121 +124 @@
-        if value is None: value = []
-        final_attrs = self.build_attrs(attrs, type=self.input_type, name=name)
-
+
+
+
-
-    def value_from_datadict(self, data, files, name):
@@ -150 +155 @@
-        value = force_unicode(value)
-        final_attrs = self.build_attrs(attrs, name=name)
-
+
+
-
-class DateTimeInput(Input):
@@ -184 +190 @@
-            final_attrs['checked'] = 'checked'
-        if value not in ('', True, False, None):
-
-
+
+
+
-
-    def value_from_datadict(self, data, files, name):
@@ -206 +213 @@
-        final_attrs = self.build_attrs(attrs, name=name)
-        output = [u'<select%s>' % flatatt(final_attrs)]
-
+
+
-        for option_value, option_label in chain(self.choices, choices):
-            option_value = force_unicode(option_value)
@@ -212 +220 @@
-            output.append(u'<option value="%s"%s>%s</option>' % (escape(option_value), selected_html, escape(force_unicode(option_label))))
-        output.append(u'</select>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-class NullBooleanSelect(Select):
@@ -249 +257 @@
-            output.append(u'<option value="%s"%s>%s</option>' % (escape(option_value), selected_html, escape(force_unicode(option_label))))
-        output.append(u'</select>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-    def value_from_datadict(self, data, files, name):
@@ -270 +278 @@
-
-    def __unicode__(self):
-
+
+
-
-    def is_checked(self):
@@ -281 +290 @@
-        if self.is_checked():
-            final_attrs['checked'] = 'checked'
-u'<input%s />' % flatatt(final_attrs
+mark_safe(u'<input%s />' % flatatt(final_attrs)
-
-class RadioFieldRenderer(StrAndUnicode):
@@ -305 +314 @@
-    def render(self):
-        """Outputs a <ul> for this set of radio fields."""
-
+
+
-
-class RadioSelect(Select):
@@ -342 +352 @@
-        final_attrs = self.build_attrs(attrs, name=name)
-        output = [u'<ul>']
-
+
+
-        for i, (option_value, option_label) in enumerate(chain(self.choices, choices)):
-            # If an ID attribute was given, add a numeric index as a suffix,
@@ -353 +364 @@
-            output.append(u'<li><label>%s %s</label></li>' % (rendered_cb, escape(force_unicode(option_label))))
-        output.append(u'</ul>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-    def id_for_label(self, id_):
@@ -451 +462 @@
-            return [value.date(), value.time().replace(microsecond=0)]
-        return [None, None]
+

django/trunk/django/oldforms/__init__.py

@@ -2 +2 @@
-from django.core.exceptions import PermissionDenied
-from django.utils.html import escape
+from django.utils.safestring import mark_safe
-from django.conf import settings
-from django.utils.translation import ugettext, ungettext
@@ -190 +191 @@
-    def html_error_list(self):
-        if self.errors():
-'<ul class="errorlist"><li>%s</li></ul>' % '</li><li>'.join([escape(e) for e in self.errors()]
+mark_safe('<ul class="errorlist"><li>%s</li></ul>' % '</li><li>'.join([escape(e) for e in self.errors()])
-        else:
-''
+mark_safe('')
-
-    def get_id(self):
@@ -227 +228 @@
-
-    def html_combined_error_list(self):
-''.join([field.html_error_list() for field in self.formfield_dict.values() if hasattr(field, 'errors')]
+mark_safe(''.join([field.html_error_list() for field in self.formfield_dict.values() if hasattr(field, 'errors')])
-
-class InlineObjectCollection(object):
@@ -419 +420 @@
-        if self.max_length:
-            max_length = u'maxlength="%s" ' % self.max_length
-
+mark_safe(
-            (self.input_type, self.get_id(), self.__class__.__name__, self.is_required and u' required' or '',
-
+)
-
-    def html2python(data):
@@ -443 +444 @@
-        if data is None:
-            data = ''
-
+mark_safe(
-            (self.get_id(), self.__class__.__name__, self.is_required and u' required' or u'',
-
+)
-
-class HiddenField(FormField):
@@ -454 +455 @@
-
-    def render(self, data):
-
-
+mark_safe(
+)
-
-class CheckboxField(FormField):
@@ -469 +470 @@
-        if data or (data is '' and self.checked_by_default):
-            checked_html = ' checked="checked"'
-
+mark_safe(
-            (self.get_id(), self.__class__.__name__,
-
+)
-
-    def html2python(data):
@@ -503 +504 @@
-            output.append(u'    <option value="%s"%s>%s</option>' % (escape(value), selected_html, force_unicode(escape(display_name))))
-        output.append(u'  </select>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-    def isValidChoice(self, data, form):
@@ -557 +558 @@
-                output.extend([u'<li>%s %s</li>' % (d['field'], d['label']) for d in self.datalist])
-                output.append(u'</ul>')
-u''.join(output
+mark_safe(u''.join(output)
-            def __iter__(self):
-                for d in self.datalist:
@@ -572 +573 @@
-                'value': value,
-                'name': display_name,
-
-
-
+mark_safe(
+)
+mark_safe(
-                    (self.get_id() + u'_' + unicode(i), display_name),
-
+)
-        return RadioFieldRenderer(datalist, self.ul_class)
-
@@ -615 +616 @@
-            output.append(u'    <option value="%s"%s>%s</option>' % (escape(value), selected_html, force_unicode(escape(choice))))
-        output.append(u'  </select>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-    def isValidChoice(self, field_data, all_data):
@@ -668 +669 @@
-                self.get_id() + escape(value), choice))
-        output.append(u'</ul>')
-u'\n'.join(output
+mark_safe(u'\n'.join(output)
-
-####################
@@ -689 +690 @@
-
-    def render(self, data):
-
-
+mark_safe(
+)
-
-    def html2python(data):

django/trunk/django/template/context.py

@@ -10 +10 @@
-class Context(object):
-    "A stack container for variable context"
-
+
+
-        dict_ = dict_ or {}
-        self.dicts = [dict_]
+        self.autoescape = autoescape
-
-    def __repr__(self):
@@ -98 +100 @@
-        for processor in get_standard_processors() + processors:
-            self.update(processor(request))
+

django/trunk/django/template/defaultfilters.py

@@ -8 +8 @@
-from django.utils.translation import ugettext, ungettext
-from django.utils.encoding import force_unicode, iri_to_uri
+from django.utils.safestring import mark_safe, SafeData
-
-register = Library()
@@ -30 +31 @@
-    # arguments by the template parser).
-    _dec._decorated_function = getattr(func, '_decorated_function', func)
+    for attr in ('is_safe', 'needs_autoescape'):
+        if hasattr(func, attr):
+            setattr(_dec, attr, getattr(func, attr))
-    return _dec
-
@@ -40 +44 @@
-    """Adds slashes - useful for passing strings to JavaScript, for example."""
-    return value.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'")
+addslashes.is_safe = True
-addslashes = stringfilter(addslashes)
-
@@ -45 +50 @@
-    """Capitalizes the first character of the value."""
-    return value and value[0].upper() + value[1:]
+capfirst.is_safe=True
-capfirst = stringfilter(capfirst)
-
@@ -51 +57 @@
-    from django.utils.html import fix_ampersands
-    return fix_ampersands(value)
+fix_ampersands.is_safe=True
-fix_ampersands = stringfilter(fix_ampersands)
-
@@ -91 +98 @@
-    m = f - int(f)
-    if not m and d < 0:
-u'%d' % int(f
+mark_safe(u'%d' % int(f)
-    else:
-        formatstr = u'%%.%df' % abs(d)
-
+
+
-
-def iriencode(value):
@@ -101 +109 @@
-iriencode = stringfilter(iriencode)
-
-
+, autoescape=None
-    """Displays text with line numbers."""
-    from django.utils.html import escape
-    lines = value.split(u'\n')
-    # Find the maximum width of the line count, for use with zero padding
-.
+
-    width = unicode(len(unicode(len(lines))))
-
-
-
+
+
+
+
+
+
+
+
+
-linenumbers = stringfilter(linenumbers)
-
@@ -116 +130 @@
-    """Converts a string into all lowercase."""
-    return value.lower()
+lower.is_safe = True
-lower = stringfilter(lower)
-
@@ -126 +141 @@
-    """
-    return list(value)
+make_list.is_safe = False
-make_list = stringfilter(make_list)
-
@@ -136 +152 @@
-    value = unicodedata.normalize('NFKD', value).encode('ascii', 'ignore')
-    value = unicode(re.sub('[^\w\s-]', '', value).strip().lower())
-
+
+
-slugify = stringfilter(slugify)
-
@@ -153 +170 @@
-    except (ValueError, TypeError):
-        return u""
+stringformat.is_safe = True
-
-def title(value):
-    """Converts a string into titlecase."""
-    return re.sub("([a-z])'([A-Z])", lambda m: m.group(0).lower(), value.title())
+title.is_safe = True
-title = stringfilter(title)
-
@@ -171 +190 @@
-        return value # Fail silently.
-    return truncate_words(value, length)
+truncatewords.is_safe = True
-truncatewords = stringfilter(truncatewords)
-
@@ -185 +205 @@
-        return value # Fail silently.
-    return truncate_html_words(value, length)
+truncatewords_html.is_safe = True
-truncatewords_html = stringfilter(truncatewords_html)
-
@@ -190 +211 @@
-    """Converts a string into all uppercase."""
-    return value.upper()
+upper.is_safe = False
-upper = stringfilter(upper)
-
@@ -196 +218 @@
-    from django.utils.http import urlquote
-    return urlquote(value)
+urlencode.is_safe = False
-urlencode = stringfilter(urlencode)
-
-
+, autoescape=None
-    """Converts URLs in plain text into clickable links."""
-    from django.utils.html import urlize
-
+
+
+
-urlize = stringfilter(urlize)
-
@@ -212 +237 @@
-    """
-    from django.utils.html import urlize
-
+
+
-urlizetrunc = stringfilter(urlizetrunc)
-
@@ -218 +244 @@
-    """Returns the number of words."""
-    return len(value.split())
+wordcount.is_safe = False
-wordcount = stringfilter(wordcount)
-
@@ -228 +255 @@
-    from django.utils.text import wrap
-    return wrap(value, int(arg))
+wordwrap.is_safe = True
-wordwrap = stringfilter(wordwrap)
-
@@ -237 +265 @@
-    """
-    return value.ljust(int(arg))
+ljust.is_safe = True
-ljust = stringfilter(ljust)
-
@@ -246 +275 @@
-    """
-    return value.rjust(int(arg))
+rjust.is_safe = True
-rjust = stringfilter(rjust)
-
@@ -251 +281 @@
-    """Centers the value in a field of a given width."""
-    return value.center(int(arg))
+center.is_safe = True
-center = stringfilter(center)
-
-def cut(value, arg):
-
-
+
+
+
+
+
+
+
+
-cut = stringfilter(cut)
-
@@ -263 +300 @@
-
-def escape(value):
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-    from django.utils.html import escape
-escape(value
+mark_safe(escape(value)
-escape = stringfilter(escape)
-
-
+
+
+
-    """
-    Replaces line breaks in plain text with appropriate HTML; a single
@@ -275 +326 @@
-    """
-    from django.utils.html import linebreaks
-
+
+
+
+
-linebreaks = stringfilter(linebreaks)
-
-
+, autoescape=None
-    """
-    Converts all newlines in a piece of plain text to HTML line breaks
-    (``<br />``).
-    """
-
+
+
+
+
+
+
-linebreaksbr = stringfilter(linebreaksbr)
+
+def safe(value):
+    """
+    Marks the value as a string that should not be auto-escaped.
+    """
+    from django.utils.safestring import mark_safe
+    return mark_safe(value)
+safe.is_safe = True
+safe = stringfilter(safe)
-
-def removetags(value, tags):
@@ -295 +363 @@
-    value = endtag_re.sub(u'', value)
-    return value
+removetags.is_safe = True
-removetags = stringfilter(removetags)
-
@@ -301 +370 @@
-    from django.utils.html import strip_tags
-    return strip_tags(value)
+striptags.is_safe = True
-striptags = stringfilter(striptags)
-
@@ -316 +386 @@
-    decorated.sort()
-    return [item[1] for item in decorated]
+dictsort.is_safe = False
-
-def dictsortreversed(value, arg):
@@ -327 +398 @@
-    decorated.reverse()
-    return [item[1] for item in decorated]
+dictsortreversed.is_safe = False
-
-def first(value):
@@ -334 +406 @@
-    except IndexError:
-        return u''
+first.is_safe = True
-
-def join(value, arg):
-    """Joins a list with a string, like Python's ``str.join(list)``."""
-    try:
-return
+data =
-    except AttributeError: # fail silently but nicely
-        return value
+    safe_args = reduce(lambda lhs, rhs: lhs and isinstance(rhs, SafeData),
+            value, True)
+    if safe_args:
+        return mark_safe(data)
+    else:
+        return data
+join.is_safe = True
-
-def length(value):
-    """Returns the length of the value - useful for lists."""
-    return len(value)
+length.is_safe = True
-
-def length_is(value, arg):
-    """Returns a boolean of whether the value's length is the argument."""
-    return len(value) == int(arg)
+length_is.is_safe = True
-
-def random(value):
-    """Returns a random item from the list."""
-    return random_module.choice(value)
+random.is_safe = True
-
-def slice_(value, arg):
@@ -373 +456 @@
-    except (ValueError, TypeError):
-        return value # Fail silently.
-
-
+
+
+
-    """
-    Recursively takes a self-nested list and returns an HTML unordered list --
@@ -395 +479 @@
-        </li>
-    """
+    if autoescape:
+        from django.utils.html import conditional_escape
+        escaper = conditional_escape
+    else:
+        escaper = lambda x: x
-    def convert_old_style_list(list_):
-        """
@@ -444 +533 @@
-                sublist = '\n%s<ul>\n%s\n%s</ul>\n%s' % (indent, sublist,
-                                                         indent, indent)
- force_unicode(title),
-                          
+
+escaper(force_unicode(title)),
-            i += 1
-        return '\n'.join(output)
-    value, converted = convert_old_style_list(value)
-
+
+
+
-
-###################
@@ -458 +549 @@
-    """Adds the arg to the value."""
-    return int(value) + int(arg)
+add.is_safe = False
-
-def get_digit(value, arg):
@@ -477 +569 @@
-    except IndexError:
-        return 0
+get_digit.is_safe = False
-
-###################
@@ -490 +583 @@
-        arg = settings.DATE_FORMAT
-    return format(value, arg)
+date.is_safe = False
-
-def time(value, arg=None):
@@ -499 +593 @@
-        arg = settings.TIME_FORMAT
-    return time_format(value, arg)
+time.is_safe = False
-
-def timesince(value, arg=None):
@@ -508 +603 @@
-        return timesince(arg, value)
-    return timesince(value)
+timesince.is_safe = False
-
-def timeuntil(value, arg=None):
@@ -518 +614 @@
-        return timesince(arg, value)
-    return timesince(datetime.now(), value)
+timeuntil.is_safe = False
-
-###################
@@ -526 +623 @@
-    """If value is unavailable, use given default."""
-    return value or arg
+default.is_safe = False
-
-def default_if_none(value, arg):
@@ -532 +630 @@
-        return arg
-    return value
+default_if_none.is_safe = False
-
-def divisibleby(value, arg):
-    """Returns True if the value is devisible by the argument."""
-    return int(value) % int(arg) == 0
+divisibleby.is_safe = False
-
-def yesno(value, arg=None):
@@ -567 +667 @@
-        return yes
-    return no
+yesno.is_safe = False
-
-###################
@@ -589 +690 @@
-        return ugettext("%.1f MB") % (bytes / (1024 * 1024))
-    return ugettext("%.1f GB") % (bytes / (1024 * 1024 * 1024))
+filesizeformat.is_safe = True
-
-def pluralize(value, arg=u's'):
@@ -595 +697 @@
-    the suffix:
-
-
-
-
+a
+a
+a
-
-    If an argument is provided, that string is used instead:
-
-
-
-
+a
+a
+a
-
-    If the provided argument contains a comma, the text before the comma is
@@ -609 +711 @@
-    plural case:
-
-
-
-
+a
+a
+a
-    """
-    if not u',' in arg:
@@ -632 +734 @@
-            pass
-    return singular_suffix
+pluralize.is_safe = False
-
-def phone2numeric(value):
@@ -637 +740 @@
-    from django.utils.text import phone2numeric
-    return phone2numeric(value)
+phone2numeric.is_safe = True
-
-def pprint(value):
@@ -645 +749 @@
-    except Exception, e:
-        return u"Error in formatting: %s" % force_unicode(e, errors="replace")
+pprint.is_safe = True
-
-# Syntax: register.filter(name of filter, callback)
@@ -663 +768 @@
-register.filter(fix_ampersands)
-register.filter(floatformat)
+register.filter(force_escape)
-register.filter(get_digit)
-register.filter(iriencode)
@@ -680 +786 @@
-register.filter(random)
-register.filter(rjust)
+register.filter(safe)
-register.filter('slice', slice_)
-register.filter(slugify)

django/trunk/django/template/defaulttags.py

@@ -15 +15 @@
-from django.utils.encoding import smart_str, smart_unicode
-from django.utils.itercompat import groupby
+from django.utils.safestring import mark_safe
-
-register = Library()
+
+class AutoEscapeControlNode(Node):
+    """Implements the actions of the autoescape tag."""
+    def __init__(self, setting, nodelist):
+        self.setting, self.nodelist = setting, nodelist
+
+    def render(self, context):
+        old_setting = context.autoescape
+        context.autoescape = self.setting
+        output = self.nodelist.render(context)
+        context.autoescape = old_setting
+        if self.setting:
+            return mark_safe(output)
+        else:
+            return output
-
-class CommentNode(Node):
@@ -394 +410 @@
-
-#@register.tag
+def autoescape(parser, token):
+    """
+    Force autoescape behaviour for this block.
+    """
+    args = token.contents.split()
+    if len(args) != 2:
+        raise TemplateSyntaxError("'Autoescape' tag requires exactly one argument.")
+    arg = args[1]
+    if arg not in (u'on', u'off'):
+        raise TemplateSyntaxError("'Autoescape' argument should be 'on' or 'off'")
+    nodelist = parser.parse(('endautoescape',))
+    parser.delete_first_token()
+    return AutoEscapeControlNode((arg == 'on'), nodelist)
+autoescape = register.tag(autoescape)
+
+#@register.tag
-def comment(parser, token):
-    """
@@ -493 +525 @@
-    Sample usage::
-
-
+force_
-            This text will be HTML-escaped, and will appear in lowercase.
-        {% endfilter %}
@@ -499 +531 @@
-    _, rest = token.contents.split(None, 1)
-    filter_expr = parser.compile_filter("var|%s" % (rest))
+    for func, unused in filter_expr.filters:
+        if getattr(func, '_decorated_function', func).__name__ in ('escape', 'safe'):
+            raise TemplateSyntaxError('"filter %s" is not permitted.  Use the "autoescape" tag instead.' % func.__name__)
-    nodelist = parser.parse(('endfilter',))
-    parser.delete_first_token()

django/trunk/django/template/__init__.py

@@ -58 +58 @@
-from django.utils.encoding import smart_unicode, force_unicode
-from django.utils.translation import ugettext as _
+from django.utils.safestring import SafeData, EscapeData, mark_safe, mark_for_escaping
+from django.utils.html import escape
-
-__all__ = ('Template', 'Context', 'RequestContext', 'compile_string')
@@ -596 +598 @@
-                else:
-                    arg_vals.append(arg.resolve(context))
-
+
+
+
+
+
+
+
+
+
+
-        return obj
-
@@ -638 +649 @@
-    Returns the resolved variable, which may contain attribute syntax, within
-    the given context.
-
+
-    Deprecated; use the Variable class instead.
-    """
@@ -648 +659 @@
-    a hard-coded string (if it begins and ends with single or double quote
-    marks)::
-
+
-        >>> c = {'article': {'section':'News'}}
-        >>> Variable('article.section').resolve(c)
@@ -663 +674 @@
-    (The example assumes VARIABLE_ATTRIBUTE_SEPARATOR is '.')
-    """
-
+
-    def __init__(self, var):
-        self.var = var
-        self.literal = None
-        self.lookups = None
-
+
-        try:
-            # First try to treat this variable as a number.
-            #
- 
+
-            # catching. Since this should only happen at compile time, that's
-            # probably OK.
-            self.literal = float(var)
-
+
-            # So it's a float... is it an int? If the original value contained a
-            # dot or an "e" then it was a float, not an int.
-            if '.' not in var and 'e' not in var.lower():
-                self.literal = int(self.literal)
-
+
-            # "2." is invalid
-            if var.endswith('.'):
@@ -692 +703 @@
-            if var[0] in "\"'" and var[0] == var[-1]:
-                self.literal = var[1:-1]
-
+
-            else:
-                # Otherwise we'll set self.lookups so that resolve() knows we're
-                # dealing with a bonafide variable
-                self.lookups = tuple(var.split(VARIABLE_ATTRIBUTE_SEPARATOR))
-
+
-    def resolve(self, context):
-        """Resolve this variable against a given context."""
@@ -706 +717 @@
-            # We're dealing with a literal, so it's already been "resolved"
-            return self.literal
-
+
-    def __repr__(self):
-        return "<%s: %r>" % (self.__class__.__name__, self.var)
-
+
-    def __str__(self):
-        return self.var
@@ -716 +727 @@
-        """
-        Performs resolution of a real variable (i.e. not a literal) against the
- 
-
+
+
-        As indicated by the method's name, this method is an implementation
-        detail and shouldn't be called by external code. Use Variable.resolve()
@@ -758 +769 @@
-                    else:
-                        raise
-
-
-
-
-
-
-
-
+
-        return current
-
@@ -839 +843 @@
-
-    def render(self, context):
-
+
+
+
+
+
+
+
+
+
+
-
-class DebugVariableNode(VariableNode):
-    def render(self, context):
-        try:
-return self.filter_expression.resolve(context
+output = force_unicode(self.filter_expression.resolve(context)
-        except TemplateSyntaxError, e:
-            if not hasattr(e, 'source'):
-                e.source = self.source
-            raise
+        except UnicodeDecodeError:
+            return ''
+        if (context.autoescape and not isinstance(output, SafeData)) or isinstance(output, EscapeData):
+            return escape(output)
+        else:
+            return output
-
-def generic_tag_compiler(params, defaults, name, node_class, parser, token):
@@ -962 +981 @@
-                            t = get_template(file_name)
-                        self.nodelist = t.nodelist
-
+
+
-
-            compile_func = curry(generic_tag_compiler, params, defaults, getattr(func, "_decorated_function", func).__name__, InclusionNode)

django/trunk/django/utils/encoding.py

@@ -4 +4 @@
-
-from django.utils.functional import Promise
+from django.utils.safestring import SafeData, mark_safe
-
-class DjangoUnicodeDecodeError(UnicodeDecodeError):
@@ -52 +53 @@
-                s = unicode(str(s), encoding, errors)
-        elif not isinstance(s, unicode):
-
+
+
+
+
-    except UnicodeDecodeError, e:
-        raise DjangoUnicodeDecodeError(s, *e.args)

django/trunk/django/utils/html.py

@@ -4 +4 @@
-import string
-
+from django.utils.safestring import SafeData, mark_safe
-from django.utils.encoding import force_unicode
-from django.utils.functional import allow_lazy
@@ -28 +29 @@
-def escape(html):
-    "Return the given HTML with ampersands, quotes and carets encoded."
-force_unicode(html).replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;'
+mark_safe(force_unicode(html).replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;')
-escape = allow_lazy(escape, unicode)
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-    value = re.sub(r'\r\n|\r|\n', '\n', force_unicode(value)) # normalize newlines
-    paras = re.split('\n{2,}', value)
-
+
+
+
+
-    return u'\n\n'.join(paras)
-
+ 
-
-def strip_tags(value):
@@ -59 +72 @@
-fix_ampersands = allow_lazy(fix_ampersands, unicode)
-
-
+, autoescape=False
-    """
-    Convert any URLs in text into clickable links.
@@ -73 +86 @@
-    attribute.
-    """
-
+
+
+
+
+
-    words = word_split_re.split(force_unicode(text))
-    nofollow_attr = nofollow and ' rel="nofollow"' or ''
@@ -80 +97 @@
-        if match:
-            lead, middle, trail = match.groups()
+            if safe_input:
+                middle = mark_safe(middle)
-            if middle.startswith('www.') or ('@' not in middle and not middle.startswith('http://') and \
-                    len(middle) > 0 and middle[0] in string.letters + string.digits and \

django/trunk/django/views/debug.py

@@ -334 +334 @@
-</head>
-<body>
-
-<div id="summary">
-  <h1>{{ exception_type }} at {{ request.path|escape }}</h1>
@@ -396 +395 @@
-   <h2>Template error</h2>
-   <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p>
-|escape
+
-   <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}">
-   {% for source_line in template_info.source_lines %}
@@ -414 +413 @@
-  <div class="commands"><a href="#" onclick="return switchPastebinFriendly(this);">Switch to copy-and-paste view</a></div>
-  <br/>
+  {% autoescape off %}
-  <div id="browserTraceback">
-    <ul class="traceback">
@@ -423 +423 @@
-            <div class="context" id="c{{ frame.id }}">
-              {% if frame.pre_context %}
-|escape
+
-              {% endif %}
-|escape
+
-              {% if frame.post_context %}
-|escape
+
-              {% endif %}
-            </div>
@@ -447 +447 @@
-                  <tr>
-                    <td>{{ var.0 }}</td>
-|escape
+
-                  </tr>
-                {% endfor %}
@@ -467 +467 @@
-  File "{{ frame.filename }}" in {{ frame.function }}<br/>
-  {% if frame.context_line %}
-|escape
+
-  {% endif %}
-{% endfor %}<br/>
@@ -477 +477 @@
-    </table>
-  </div>
+  {% endautoescape %}
-</div>
-
@@ -495 +496 @@
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
@@ -517 +518 @@
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
@@ -539 +540 @@
-          <tr>
-            <td>{{ var.0 }}</td>
-|escape
+
-          </tr>
-        {% endfor %}
@@ -560 +561 @@
-        <tr>
-          <td>{{ var.0 }}</td>
-|escape
+
-        </tr>
-      {% endfor %}
@@ -579 +580 @@
-        <tr>
-          <td>{{ var.0 }}</td>
-|escape
+
-        </tr>
-      {% endfor %}
@@ -594 +595 @@
-  </p>
-</div>
-
-</body>
-</html>
@@ -646 +646 @@
-      <ol>
-        {% for pattern in urlpatterns %}
-|escape
+
-        {% endfor %}
-      </ol>
-      <p>The current URL, <code>{{ request_path|escape }}</code>, didn't match any of these.</p>
-    {% else %}
-|escape
+
-    {% endif %}
-  </div>

django/trunk/docs/templates_python.txt

@@ -220 +220 @@
-    While ``TEMPLATE_STRING_IF_INVALID`` can be a useful debugging tool,
-    it is a bad idea to turn it on as a 'development default'.
-
+
-    Many templates, including those in the Admin site, rely upon the
-    silence of the template system when a non-existent variable is
@@ -226 +226 @@
-    ``TEMPLATE_STRING_IF_INVALID``, you will experience rendering
-    problems with these templates and sites.
-
+
-    Generally, ``TEMPLATE_STRING_IF_INVALID`` should only be enabled
-    in order to debug a specific template problem, then cleared
@@ -723 +723 @@
-will use the function's name as the filter name.
-
+Filters and auto-escaping
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+**New in Django development version**
+
+When you are writing a custom filter, you need to give some thought to how
+this filter will interact with Django's auto-escaping behaviour.  Firstly, you
+should realise that there are three types of strings that can be passed around
+inside the template code:
+
+ * raw strings are the native Python ``str`` or ``unicode`` types. On
+   output, they are escaped if auto-escaping is in effect and presented
+   unchanged, otherwise.
+
+ * "safe" strings are strings that are safe from further escaping at output
+   time. Any necessary escaping has already been done. They are commonly used
+   for output that contains raw HTML that is intended to be intrepreted on the
+   client side.
+
+   Internally, these strings are of type ``SafeString`` or ``SafeUnicode``,
+   although they share a common base class in ``SafeData``, so you can test
+   for them using code like::
+
+    if isinstance(value, SafeData):
+        # Do something with the "safe" string.
+
+ * strings which are marked as "needing escaping" are *always* escaped on
+   output, regardless of whether they are in an ``autoescape`` block or not.
+   These strings are only escaped once, however, even if auto-escaping
+   applies. This type of string is internally represented by the types
+   ``EscapeString`` and ``EscapeUnicode``. You will not normally need to worry
+   about these; they exist for the implementation of the ``escape`` filter.
+
+Inside your filter, you will need to think about three areas in order to be
+auto-escaping compliant:
+
+ 1. If your filter returns a string that is ready for direct output (it should
+    be considered a "safe" string), you should call
+    ``django.utils.safestring.mark_safe()`` on the result prior to returning.
+    This will turn the result into the appropriate ``SafeData`` type. This is
+    often the case when you are returning raw HTML, for example.
+
+ 2. If your filter is given a "safe" string, is it guaranteed to return a
+    "safe" string? If so, set the ``is_safe`` attribute on the function to be
+    ``True``. For example, a filter that replaced a word consisting only of
+    digits with the number spelt out in words is going to be
+    safe-string-preserving, since it cannot introduce any of the five dangerous
+    characters: <, >, ", ' or &. We can write::
+
+        @register.filter
+        def convert_to_words(value):
+            # ... implementation here ...
+            return result
+
+        convert_to_words.is_safe = True
+
+    Note that this filter does not return a universally safe result (it does
+    not return ``mark_safe(result)``) because if it is handed a raw string such
+    as '<a>', this will need further escaping in an auto-escape environment.
+    The ``is_safe`` attribute only talks about the the result when a safe
+    string is passed into the filter.
+
+ 3. Will your filter behave differently depending upon whether auto-escaping
+    is currently in effect or not? This is normally a concern when you are
+    returning mixed content (HTML elements mixed with user-supplied content).
+    For example, the ``ordered_list`` filter that ships with Django needs to
+    know whether to escape its content or not. It will always return a safe
+    string. Since it returns raw HTML, we cannot apply escaping to the
+    result -- it needs to be done in-situ.
+
+    For these cases, the filter function needs to be told what the current
+    auto-escaping setting is. Set the ``needs_autoescape`` attribute on the
+    filter to ``True`` and have your function take an extra argument called
+    ``autoescape`` with a default value of ``None``. When the filter is called,
+    the ``autoescape`` keyword argument will be ``True`` if auto-escaping is in
+    effect. For example, the ``unordered_list`` filter is written as::
+
+        def unordered_list(value, autoescape=None):
+            # ... lots of code here ...
+
+            return mark_safe(...)
+
+        unordered_list.is_safe = True
+        unordered_list.needs_autoescape = True
+
+By default, both the ``is_safe`` and ``needs_autoescape`` attributes are
+``False``. You do not need to specify them if ``False`` is an acceptable
+value.
+
-Writing custom template tags
-----------------------------
@@ -841 +930 @@
-without having to be parsed multiple times.
-
+Auto-escaping considerations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The output from template tags is not automatically run through the
+auto-escaping filters. However, there are still a couple of things you should
+keep in mind when writing a template tag:
+
+If the ``render()`` function of your template stores the result in a context
+variable (rather than returning the result in a string), it should take care
+to call ``mark_safe()`` if appropriate. When the variable is ultimately
+rendered, it will be affected by the auto-escape setting in effect at the
+time, so content that should be safe from further escaping needs to be marked
+as such.
+
+Also, if your template tag creates a new context for performing some
+sub-rendering, you should be careful to set the auto-escape attribute to the
+current context's value. The ``__init__`` method for the ``Context`` class
+takes a parameter called ``autoescape`` that you can use for this purpose. For
+example::
+
+    def render(self, context):
+        # ...
+        new_context = Context({'var': obj}, autoescape=context.autoescape)
+        # ... Do something with new_context ...
+
+This is not a very common situation, but it is sometimes useful, particularly
+if you are rendering a template yourself. For example::
+
+    def render(self, context):
+        t = template.load_template('small_fragment.html')
+        return t.render(Context({'var': obj}, autoescape=context.autoescape))
+
+If we had neglected to pass in the current ``context.autoescape`` value to our
+new ``Context`` in this example, the results would have *always* been
+automatically escaped, which may not be the desired behaviour if the template
+tag is used inside a ``{% autoescape off %}`` block.
+
-Registering the tag
-~~~~~~~~~~~~~~~~~~~
@@ -918 +1044 @@
-            self.date_to_be_formatted = date_to_be_formatted
-            self.format_string = format_string
-
+
-        def render(self, context):
-            try:
@@ -935 +1061 @@
-    in favor of a new ``template.Variable`` class. Using this class will usually
-    be more efficient than calling ``template.resolve_variable``
-
+
-    To use the ``Variable`` class, simply instantiate it with the name of the
-    variable to be resolved, and then call ``variable.resolve(context)``. So,
-    in the development version, the above example would be more correctly
-    written as:
-
+
-    .. parsed-literal::
-
+
-        class FormatTimeNode(template.Node):
-            def __init__(self, date_to_be_formatted, format_string):
-                self.date_to_be_formatted = **Variable(date_to_be_formatted)**
-                self.format_string = format_string
-
+
-            def render(self, context):
-                try:
@@ -954 +1080 @@
-                except template.VariableDoesNotExist:
-                    return ''
-
+
-    Changes are highlighted in bold.
-

django/trunk/docs/templates.txt

@@ -300 +300 @@
-wouldn't know which one of the blocks' content to use.
-
+Automatic HTML escaping
+=======================
+
+**New in Django development version**
+
+A very real problem when creating HTML (and other) output using templates and
+variable substitution is the possibility of accidently inserting some variable
+value that affects the resulting HTML. For example, a template fragment such as
+::
+
+    Hello, {{ name }}.
+
+seems like a harmless way to display the user's name. However, if you are
+displaying data that the user entered directly and they had entered their name as ::
+
+    <script>alert('hello')</script>
+
+this would always display a Javascript alert box when the page was loaded.
+Similarly, if you were displaying some data generated by another process and it
+contained a '<' symbol, you couldn't just dump this straight into your HTML,
+because it would be treated as the start of an element. The effects of these
+sorts of problems can vary from merely annoying to allowing exploits via `Cross
+Site Scripting`_ (XSS) attacks.
+
+.. _Cross Site Scripting: http://en.wikipedia.org/wiki/Cross-site_scripting
+
+In order to provide some protection against these problems, Django
+provides automatic (but controllable) HTML escaping for data coming from
+tempate variables. Inside this tag, any data that comes from template
+variables is examined to see if it contains one of the five HTML characters
+(<, >, ', " and &) that often need escaping and those characters are converted
+to their respective HTML entities. It causes no harm if a character is
+converted to an entity when it doesn't need to be, so all five characters are
+always converted.
+
+Since some variables will contain data that is *intended* to be rendered
+as HTML, template tag and filter writers can mark their output strings as
+requiring no further escaping. For example, the ``unordered_list`` filter is
+designed to return raw HTML and we want the template processor to simply
+display the results as returned, without applying any escaping. That is taken
+care of by the filter. The template author need do nothing special in that
+case.
+
+By default, automatic HTML escaping is always applied. However, sometimes you
+will not want this to occur (for example, if you're using the templating
+system to create an email). To control automatic escaping inside your template,
+wrap the affected content in the ``autoescape`` tag, like so::
+
+    {% autoescape off %}
+        Hello {{ name }}
+    {% endautoescape %}
+
+The auto-escaping tag passes its effect onto templates that extend the
+current one as well as templates included via the ``include`` tag, just like
+all block tags.
+
+The ``autoescape`` tag takes either ``on`` or ``off`` as its argument. At times, you might want to force auto-escaping when it would otherwise be disabled. For example::
+
+    Auto-escaping is on by default. Hello {{ name }}
+
+    {% autoescape off %}
+        This will not be auto-escaped: {{ data }}.
+
+        Nor this: {{ other_data }}
+        {% autoescape on %}
+            Auto-escaping applies again, {{ name }}
+        {% endautoescape %}
+    {% endautoescape %}
+
+For individual variables, the ``safe`` filter can also be used to indicate
+that the contents should not be automatically escaped::
+
+    This will be escaped: {{ data }}
+    This will not be escaped: {{ data|safe }}
+
+Think of *safe* as shorthand for *safe from further escaping* or *can be
+safely interpreted as HTML*. In this example, if ``data`` contains ``'<a>'``,
+the output will be::
+
+    This will be escaped: &lt;a&gt;
+    This will not be escaped: <a>
+
+Generally, you won't need to worry about auto-escaping very much. View
+developers and custom filter authors need to think about when their data
+shouldn't be escaped and mark it appropriately. They are in a better position
+to know when that should happen than the template author, so it is their
+responsibility. By default, all output is escaped unless the template
+processor is explicitly told otherwise.
+
+You should also note that if you are trying to write a template that might be
+used in situations where automatic escaping is enabled or disabled and you
+don't know which (such as when your template is included in other templates),
+you can safely write as if you were in an ``{% autoescape off %}`` situation.
+Scatter ``escape`` filters around for any variables that need escaping. When
+auto-escaping is on, these extra filters won't change the output -- any
+variables that use the ``escape`` filter do not have further automatic
+escaping applied to them.
+
-Using the built-in reference
-============================
@@ -374 +472 @@
-Built-in tag reference
-----------------------
+
+autoescape
+~~~~~~~~~~
+
+**New in Django development version**
+
+Control the current auto-escaping behaviour. This tag takes either ``on`` or
+``off`` as an argument and that determines whether auto-escaping is in effect
+inside the block.
+
+When auto-escaping is in effect, all variable content has HTML escaping applied
+to it before placing the result into the output (but after any filters have
+been applied). This is equivalent to manually applying the ``escape`` filter
+attached to each variable.
+
+The only exceptions are variables that are already marked as 'safe' from
+escaping, either by the code that populated the variable, or because it has
+the ``safe`` or ``escape`` filters applied.
-
-block
@@ -453 +569 @@
-Sample usage::
-
-
+force_
-        This text will be HTML-escaped, and will appear in all lowercase.
-    {% endfilter %}
@@ -1077 +1193 @@
-~~~~~~
-
+**New in Django development version:** The behaviour of this filter has
+changed slightly in the development version (the affects are only applied
+once, after all other filters).
+
-Escapes a string's HTML. Specifically, it makes these replacements:
-
@@ -1084 +1204 @@
-    * ``'"'`` (double quote) to ``'&quot;'``
-    * ``"'"`` (single quote) to ``'&#39;'``
+
+The escaping is only applied when the string is output, so it does not matter
+where in a chained sequence of filters you put ``escape``: it will always be
+applied as though it were the last filter. If you want escaping to be applied
+immediately, use the ``force_escape`` filter.
+
+Applying ``escape`` to a variable that would normally have auto-escaping
+applied to the result will only result in one round of escaping being done. So
+it is safe to use this function even in auto-escaping environments. If you want
+multiple escaping passes to be applied, use the ``force_escape`` filter.
-
-filesizeformat
@@ -1141 +1271 @@
-with an argument of ``-1``.
-
+force_escape
+~~~~~~~~~~~~
+
+**New in Django development version**
+
+Applies HTML escaping to a string (see the ``escape`` filter for details).
+This filter is applied *immediately* and returns a new, escaped string. This
+is useful in the rare cases where you need multiple escaping or want to apply
+other filters to the escaped results. Normally, you want to use the ``escape``
+filter.
+
-get_digit
-~~~~~~~~~
@@ -1264 +1405 @@
-
-**Argument:** field size
+
+safe
+~~~~
+
+Marks a string as not requiring further HTML escaping prior to output. When
+autoescaping is off, this filter has no effect.
-
-slice

django/trunk/tests/regressiontests/defaultfilters/tests.py

@@ -195 +195 @@
-u'a string to be mangled'
-
-
+force_
-u'<some html & special characters > here'
-
-
+force_
-u'<some html & special characters > here \xc4\x90\xc3\x85\xe2\x82\xac\xc2\xa3'
-

django/trunk/tests/regressiontests/forms/forms.py

@@ -1555 +1555 @@
->>> print t.render(Context({'form': UserRegistration(auto_id=False)}))
-<form action="">
-'
+&#39;
-<p>Password1: <input type="password" name="password1" /></p>
-<p>Password2: <input type="password" name="password2" /></p>

django/trunk/tests/regressiontests/forms/tests.py

@@ -51 +51 @@
-    'localflavor_uk_tests': localflavor_uk_tests,
-    'localflavor_us_tests': localflavor_us_tests,
-s
+
-    'util_tests': util_tests,
-    'widgets_tests': widgets_tests,

django/trunk/tests/regressiontests/humanize/tests.py

@@ -4 +4 @@
-from django.utils.dateformat import DateFormat
-from django.utils.translation import ugettext as _
+from django.utils.html import escape
-
-add_to_builtins('django.contrib.humanize.templatetags.humanize')
@@ -16 +17 @@
-            t = Template('{{ test_content|%s }}' % method)
-            rendered = t.render(Context(locals())).strip()
-result_list[index]
+escape(result_list[index])
-                             msg="%s test failed, produced %s, should've produced %s" % (method, rendered, result_list[index]))
-

django/trunk/tests/regressiontests/templates/tests.py

@@ -15 +15 @@
-from django.template.loaders import app_directories, filesystem
-from django.utils.translation import activate, deactivate, ugettext as _
+from django.utils.safestring import mark_safe
-from django.utils.tzinfo import LocalTimezone
-
-from unicode import unicode_tests
+import filters
-
-# Some other tests we would like to run
@@ -121 +123 @@
-
-    def test_templates(self):
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-        # SYNTAX --
-        # 'template_name': ('template contents', 'context dict', 'expected string output' or Exception class)
-
-
-
+
+
-
-            # Plain text should go through the template parser untouched
-            'basic-syntax01': ("something cool", {}, "something cool"),
-
-
+
+
-            'basic-syntax02': ("{{ headline }}", {'headline':'Success'}, "Success"),
-
@@ -241 +320 @@
-
-            # Escaped string as argument
-
+
+
-
-            # Variable as argument
@@ -761 +841 @@
-        #    'now04' : ('{% now "j \nn\n Y"%}', {}, str(datetime.now().day) + '\n' + str(datetime.now().month) + '\n' + str(datetime.now().year))
-
-            ### TIMESINCE TAG ##################################################
-            # Default compare with datetime.now()
-            'timesince01' : ('{{ a|timesince }}', {'a':datetime.now() + timedelta(minutes=-1, seconds = -10)}, '1 minute'),
-            'timesince02' : ('{{ a|timesince }}', {'a':(datetime.now() - timedelta(days=1, minutes = 1))}, '1 day'),
-            'timesince03' : ('{{ a|timesince }}', {'a':(datetime.now() -
-                timedelta(hours=1, minutes=25, seconds = 10))}, '1 hour, 25 minutes'),
-
-            # Compare to a given parameter
-            'timesince04' : ('{{ a|timesince:b }}', {'a':NOW + timedelta(days=2), 'b':NOW + timedelta(days=1)}, '1 day'),
-            'timesince05' : ('{{ a|timesince:b }}', {'a':NOW + timedelta(days=2, minutes=1), 'b':NOW + timedelta(days=2)}, '1 minute'),
-
-            # Check that timezone is respected
-            'timesince06' : ('{{ a|timesince:b }}', {'a':NOW_tz + timedelta(hours=8), 'b':NOW_tz}, '8 hours'),
-
-            # Check times in the future.
-            'timesince07' : ('{{ a|timesince }}', {'a':datetime.now() + timedelta(minutes=1, seconds=10)}, '0 minutes'),
-            'timesince08' : ('{{ a|timesince }}', {'a':datetime.now() + timedelta(days=1, minutes=1)}, '0 minutes'),
-
-            ### TIMEUNTIL TAG ##################################################
-            # Default compare with datetime.now()
-            'timeuntil01' : ('{{ a|timeuntil }}', {'a':datetime.now() + timedelta(minutes=2, seconds = 10)}, '2 minutes'),
-            'timeuntil02' : ('{{ a|timeuntil }}', {'a':(datetime.now() + timedelta(days=1, seconds = 10))}, '1 day'),
-            'timeuntil03' : ('{{ a|timeuntil }}', {'a':(datetime.now() + timedelta(hours=8, minutes=10, seconds = 10))}, '8 hours, 10 minutes'),
-
-            # Compare to a given parameter
-            'timeuntil04' : ('{{ a|timeuntil:b }}', {'a':NOW - timedelta(days=1), 'b':NOW - timedelta(days=2)}, '1 day'),
-            'timeuntil05' : ('{{ a|timeuntil:b }}', {'a':NOW - timedelta(days=2), 'b':NOW - timedelta(days=2, minutes=1)}, '1 minute'),
-
-            # Check times in the past.
-            'timeuntil07' : ('{{ a|timeuntil }}', {'a':datetime.now() - timedelta(minutes=1, seconds=10)}, '0 minutes'),
-            'timeuntil08' : ('{{ a|timeuntil }}', {'a':datetime.now() - timedelta(days=1, minutes=1)}, '0 minutes'),
-
-            ### URL TAG ########################################################
-            # Successes
@@ -820 +868 @@
-            'cache09' : ('{% load cache %}{% cache 1 %}{% endcache %}', {}, template.TemplateSyntaxError),
-            'cache10' : ('{% load cache %}{% cache foo bar %}{% endcache %}', {}, template.TemplateSyntaxError),
+
+            ### AUTOESCAPE TAG ##############################################
+            'autoescape-tag01': ("{% autoescape off %}hello{% endautoescape %}", {}, "hello"),
+            'autoescape-tag02': ("{% autoescape off %}{{ first }}{% endautoescape %}", {"first": "<b>hello</b>"}, "<b>hello</b>"),
+            'autoescape-tag03': ("{% autoescape on %}{{ first }}{% endautoescape %}", {"first": "<b>hello</b>"}, "&lt;b&gt;hello&lt;/b&gt;"),
+
+            # Autoescape disabling and enabling nest in a predictable way.
+            'autoescape-tag04': ("{% autoescape off %}{{ first }} {% autoescape  on%}{{ first }}{% endautoescape %}{% endautoescape %}", {"first": "<a>"}, "<a> &lt;a&gt;"),
+
+            'autoescape-tag05': ("{% autoescape on %}{{ first }}{% endautoescape %}", {"first": "<b>first</b>"}, "&lt;b&gt;first&lt;/b&gt;"),
+
+            # Strings (ASCII or unicode) already marked as "safe" are not
+            # auto-escaped
+            'autoescape-tag06': ("{{ first }}", {"first": mark_safe("<b>first</b>")}, "<b>first</b>"),
+            'autoescape-tag07': ("{% autoescape on %}{{ first }}{% endautoescape %}", {"first": mark_safe(u"<b>Apple</b>")}, u"<b>Apple</b>"),
+
+            # String arguments to filters, if used in the result, are escaped,
+            # too.
+            'basic-syntax08': (r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}', {"var": None}, ' endquote&quot; hah'),
+
+            # The "safe" and "escape" filters cannot work due to internal
+            # implementation details (fortunately, the (no)autoescape block
+            # tags can be used in those cases)
+            'autoescape-filtertag01': ("{{ first }}{% filter safe %}{{ first }} x<y{% endfilter %}", {"first": "<a>"}, template.TemplateSyntaxError),
-        }
-
-        # Register our custom template loader.
-        def test_template_loader(template_name, template_dirs=None):
-            "A custom template loader that loads the unit-test templates."
-            try:
-                return (TEMPLATE_TESTS[template_name][0] , "test:%s" % template_name)
-            except KeyError:
-                raise template.TemplateDoesNotExist, template_name
-
-        old_template_loaders = loader.template_source_loaders
-        loader.template_source_loaders = [test_template_loader]
-
-        failures = []
-        tests = TEMPLATE_TESTS.items()
-        tests.sort()
-
-        # Turn TEMPLATE_DEBUG off, because tests assume that.
-        old_td, settings.TEMPLATE_DEBUG = settings.TEMPLATE_DEBUG, False
-
-        # Set TEMPLATE_STRING_IF_INVALID to a known string
-        old_invalid = settings.TEMPLATE_STRING_IF_INVALID
-        expected_invalid_str = 'INVALID'
-
-        for name, vals in tests:
-            if isinstance(vals[2], tuple):
-                normal_string_result = vals[2][0]
-                invalid_string_result = vals[2][1]
-                if '%s' in invalid_string_result:
-                    expected_invalid_str = 'INVALID %s'
-                    invalid_string_result = invalid_string_result % vals[2][2]
-                    template.invalid_var_format_string = True
-            else:
-                normal_string_result = vals[2]
-                invalid_string_result = vals[2]
-
-            if 'LANGUAGE_CODE' in vals[1]:
-                activate(vals[1]['LANGUAGE_CODE'])
-            else:
-                activate('en-us')
-
-            for invalid_str, result in [('', normal_string_result),
-                                        (expected_invalid_str, invalid_string_result)]:
-                settings.TEMPLATE_STRING_IF_INVALID = invalid_str
-                try:
-                    output = loader.get_template(name).render(template.Context(vals[1]))
-                except Exception, e:
-                    if e.__class__ != result:
-                        failures.append("Template test (TEMPLATE_STRING_IF_INVALID='%s'): %s -- FAILED. Got %s, exception: %s" % (invalid_str, name, e.__class__, e))
-                    continue
-                if output != result:
-                    failures.append("Template test (TEMPLATE_STRING_IF_INVALID='%s'): %s -- FAILED. Expected %r, got %r" % (invalid_str, name, result, output))
-
-            if 'LANGUAGE_CODE' in vals[1]:
-                deactivate()
-
-            if template.invalid_var_format_string:
-                expected_invalid_str = 'INVALID'
-                template.invalid_var_format_string = False
-
-        loader.template_source_loaders = old_template_loaders
-        deactivate()
-        settings.TEMPLATE_DEBUG = old_td
-        settings.TEMPLATE_STRING_IF_INVALID = old_invalid
-
-        self.assertEqual(failures, [], '\n'.join(failures))
-
-if __name__ == "__main__":