Changeset 6683
- Timestamp:
- 11/17/07 06:12:40 (1 year ago)
- Files:
-
- django/trunk/django/utils/html.py (modified) (2 diffs)
- django/trunk/tests/regressiontests/templates/filters.py (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/django/utils/html.py
r6671 r6683 7 7 from django.utils.encoding import force_unicode 8 8 from django.utils.functional import allow_lazy 9 from django.utils.http import urlquote 9 10 10 11 # Configuration for urlize() function … … 102 103 len(middle) > 0 and middle[0] in string.letters + string.digits and \ 103 104 (middle.endswith('.org') or middle.endswith('.net') or middle.endswith('.com'))): 104 middle = '<a href="http://%s"%s>%s</a>' % (middle, nofollow_attr, trim_url(middle)) 105 middle = '<a href="http://%s"%s>%s</a>' % ( 106 urlquote(middle, safe='/&=:;#?+'), nofollow_attr, 107 trim_url(middle)) 105 108 if middle.startswith('http://') or middle.startswith('https://'): 106 middle = '<a href="%s"%s>%s</a>' % (middle, nofollow_attr, trim_url(middle)) 107 if '@' in middle and not middle.startswith('www.') and not ':' in middle \ 108 and simple_email_re.match(middle): 109 middle = '<a href="%s"%s>%s</a>' % ( 110 urlquote(middle, safe='/&=:;#?+'), nofollow_attr, 111 trim_url(middle)) 112 if '@' in middle and not middle.startswith('www.') and \ 113 not ':' in middle and simple_email_re.match(middle): 109 114 middle = '<a href="mailto:%s">%s</a>' % (middle, middle) 110 115 if lead + middle + trail != word: 111 116 words[i] = lead + middle + trail 117 elif autoescape and not safe_input: 118 words[i] = escape(word) 119 elif safe_input: 120 words[i] = mark_safe(word) 121 elif autoescape: 122 words[i] = escape(word) 112 123 return u''.join(words) 113 124 urlize = allow_lazy(urlize, unicode) django/trunk/tests/regressiontests/templates/filters.py
r6680 r6683 95 95 'filter-urlize04': ('{{ a|urlize }}', {"a": mark_safe("a & b")}, 'a & b'), 96 96 97 # This will lead to a nonsense result, but at least it won't be 98 # exploitable for XSS purposes when auto-escaping is on. 99 'filter-urlize05': ('{% autoescape off %}{{ a|urlize }}{% endautoescape %}', {"a": "<script>alert('foo')</script>"}, "<script>alert('foo')</script>"), 100 'filter-urlize06': ('{{ a|urlize }}', {"a": "<script>alert('foo')</script>"}, '<script>alert('foo')</script>'), 101 97 102 'filter-urlizetrunc01': ('{% autoescape off %}{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}{% endautoescape %}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http:...</a> <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'), 98 103 'filter-urlizetrunc02': ('{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http:...</a> <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'),
