Django

Code

Show
Ignore:
Timestamp:
11/14/07 06:58:53 (1 year ago)
Author:
mtredinnick
Message:

Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359

See documentation in templates.txt and templates_python.txt for how everything
works.

Backwards incompatible if you're inserting raw HTML output via template variables.

Based on an original design from Simon Willison and with debugging help from Michael Radziej.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/trunk/django/contrib/csrf/middleware.py

    r6038 r6671  
    88from django.conf import settings 
    99from django.http import HttpResponseForbidden 
     10from django.utils.safestring import mark_safe 
    1011import md5 
    1112import re 
    1213import itertools 
    1314 
    14 _ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>' 
     15_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>') 
    1516 
    1617_POST_FORM_RE = \ 
     
    8384            def add_csrf_field(match): 
    8485                """Returns the matched <form> tag plus the added <input> element""" 
    85                 return match.group() + "<div style='display:none;'>" + \ 
     86                return mark_safe(match.group() + "<div style='display:none;'>" + \ 
    8687                "<input type='hidden' " + idattributes.next() + \ 
    8788                " name='csrfmiddlewaretoken' value='" + csrf_token + \ 
    88                 "' /></div>" 
     89                "' /></div>") 
    8990 
    9091            # Modify any POST forms