Django

Code

Changeset 7079

Show
Ignore:
Timestamp:
02/03/08 02:54:26 (7 months ago)
Author:
mtredinnick
Message:

Fixed #6279, #6514 -- Fixed some HTML escaping problems in the urlize filter.
Based on a patch from SmileyChris? with some test additions from Rob Hudson.
Thanks, both.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/trunk/django/utils/html.py

    r6911 r7079  
    103103                    len(middle) > 0 and middle[0] in string.ascii_letters + string.digits and \ 
    104104                    (middle.endswith('.org') or middle.endswith('.net') or middle.endswith('.com'))): 
    105                 middle = '<a href="http://%s"%s>%s</a>' % ( 
    106                         urlquote(middle, safe='/&=:;#?+'),  nofollow_attr, 
    107                         trim_url(middle)) 
     105                middle = 'http://%s' % middle 
    108106            if middle.startswith('http://') or middle.startswith('https://'): 
    109                 middle = '<a href="%s"%s>%s</a>' % ( 
    110                         urlquote(middle, safe='/&=:;#?+'), nofollow_attr, 
    111                         trim_url(middle)) 
    112             if '@' in middle and not middle.startswith('www.') and \ 
    113                     not ':' in middle and simple_email_re.match(middle): 
     107                url = urlquote(middle, safe='/&=:;#?+*') 
     108                if autoescape and not safe_input: 
     109                    url = escape(url) 
     110                trimmed_url = trim_url(middle) 
     111                middle = '<a href="%s"%s>%s</a>' % (url, nofollow_attr, 
     112                        trimmed_url) 
     113            elif '@' in middle and not middle.startswith('www.') and \ 
     114                      not ':' in middle and simple_email_re.match(middle): 
     115                if autoescape: 
     116                    middle = conditional_escape(middle) 
    114117                middle = '<a href="mailto:%s">%s</a>' % (middle, middle) 
    115118            if lead + middle + trail != word: 
    116                 words[i] = lead + middle + trail 
     119                if autoescape and not safe_input: 
     120                    lead, trail = escape(lead), escape(trail) 
     121                words[i] = mark_safe('%s%s%s' % (lead, middle, trail)) 
    117122            elif autoescape and not safe_input: 
    118123                words[i] = escape(word) 

  • django/trunk/tests/regressiontests/templates/filters.py

    r6998 r7079  
    9999        'filter-upper02': ('{{ a|upper }} {{ b|upper }}', {"a": "a & b", "b": mark_safe("a &amp; b")}, u"A &amp; B A &amp;AMP; B"), 
    100100 
    101         'filter-urlize01': ('{% autoescape off %}{{ a|urlize }} {{ b|urlize }}{% endautoescape %}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'), 
    102         'filter-urlize02': ('{{ a|urlize }} {{ b|urlize }}', {"a": "http://example.com/x=&y=", "b": mark_safe("http://example.com?x=&y=")}, u'<a href="http://example.com/x=&y=" rel="nofollow">http://example.com/x=&amp;y=</a> <a href="http://example.com?x=&y=" rel="nofollow">http://example.com?x=&y=</a>'), 
     101        'filter-urlize01': ('{% autoescape off %}{{ a|urlize }} {{ b|urlize }}{% endautoescape %}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&amp;y=")}, u'<a href="http://example.com/?x=&y=" rel="nofollow">http://example.com/?x=&y=</a> <a href="http://example.com?x=&amp;y=" rel="nofollow">http://example.com?x=&amp;y=</a>'), 
     102        'filter-urlize02': ('{{ a|urlize }} {{ b|urlize }}', {"a": "http://example.com/?x=&y=", "b": mark_safe("http://example.com?x=&amp;y=")}, u'<a href="http://example.com/?x=&amp;y=" rel="nofollow">http://example.com/?x=&amp;y=</a> <a href="http://example.com?x=&amp;y=" rel="nofollow">http://example.com?x=&amp;y=</a>'), 
    103103        'filter-urlize03': ('{% autoescape off %}{{ a|urlize }}{% endautoescape %}', {"a": mark_safe("a &amp; b")}, 'a &amp; b'), 
    104104        'filter-urlize04': ('{{ a|urlize }}', {"a": mark_safe("a &amp; b")}, 'a &amp; b'), 
     
    109109        'filter-urlize06': ('{{ a|urlize }}', {"a": "<script>alert('foo')</script>"}, '&lt;script&gt;alert(&#39;foo&#39;)&lt;/script&gt;'), 
    110110 
    111         'filter-urlizetrunc01': ('{% autoescape off %}{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('&quot;Safe&quot; http://example.com?x=&y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> &quot;Safe&quot; <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'), 
    112         'filter-urlizetrunc02': ('{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('&quot;Safe&quot; http://example.com?x=&y=')}, u'&quot;Unsafe&quot; <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> &quot;Safe&quot; <a href="http://example.com?x=&y=" rel="nofollow">http:...</a>'), 
     111        # mailto: testing for urlize 
     112        'filter-urlize07': ('{{ a|urlize }}', {"a": "Email me at me@example.com"}, 'Email me at <a href="mailto:me@example.com">me@example.com</a>'), 
     113        'filter-urlize08': ('{{ a|urlize }}', {"a": "Email me at <me@example.com>"}, 'Email me at &lt;<a href="mailto:me@example.com">me@example.com</a>&gt;'), 
     114 
     115        'filter-urlizetrunc01': ('{% autoescape off %}{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}{% endautoescape %}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('&quot;Safe&quot; http://example.com?x=&amp;y=')}, u'"Unsafe" <a href="http://example.com/x=&y=" rel="nofollow">http:...</a> &quot;Safe&quot; <a href="http://example.com?x=&amp;y=" rel="nofollow">http:...</a>'), 
     116        'filter-urlizetrunc02': ('{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8" }}', {"a": '"Unsafe" http://example.com/x=&y=', "b": mark_safe('&quot;Safe&quot; http://example.com?x=&amp;y=')}, u'&quot;Unsafe&quot; <a href="http://example.com/x=&amp;y=" rel="nofollow">http:...</a> &quot;Safe&quot; <a href="http://example.com?x=&amp;y=" rel="nofollow">http:...</a>'), 
    113117 
    114118        'filter-wordcount01': ('{% autoescape off %}{{ a|wordcount }} {{ b|wordcount }}{% endautoescape %}', {"a": "a & b", "b": mark_safe("a &amp; b")}, "3 3"), 
     
    241245        'chaining14': ('{% autoescape off %}{{ a|safe|force_escape }}{% endautoescape %}', {"a": "a < b"}, "a &lt; b"), 
    242246 
    243         # Filters decorated with stringfilter still respect is_safe.  
     247        # Filters decorated with stringfilter still respect is_safe. 
    244248        'autoescape-stringfilter01': (r'{{ unsafe|capfirst }}', {'unsafe': UnsafeClass()}, 'You &amp; me'), 
    245249        'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),