Changeset 9365
- Timestamp:
- 11/06/08 13:49:24 (2 months ago)
- Files:
-
- django/trunk/django/contrib/auth/tests/views.py (modified) (3 diffs)
- django/trunk/django/forms/forms.py (modified) (4 diffs)
- django/trunk/django/forms/util.py (modified) (1 diff)
- django/trunk/tests/regressiontests/forms/forms.py (modified) (1 diff)
- django/trunk/tests/regressiontests/forms/util.py (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
django/trunk/django/contrib/auth/tests/views.py
r8613 r9365 17 17 self.assertEquals(response.status_code, 200) 18 18 response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'}) 19 self.assertContains(response, "That e-mail address doesn 't have an associated user account")19 self.assertContains(response, "That e-mail address doesn't have an associated user account") 20 20 self.assertEquals(len(mail.outbox), 0) 21 21 … … 88 88 'new_password2':' x'}) 89 89 self.assertEquals(response.status_code, 200) 90 self.assert_("The two password fields didn 't match" in response.content)90 self.assert_("The two password fields didn't match" in response.content) 91 91 92 92 … … 148 148 ) 149 149 self.assertEquals(response.status_code, 200) 150 self.assert_("The two password fields didn 't match." in response.content)150 self.assert_("The two password fields didn't match." in response.content) 151 151 152 152 def test_password_change_succeeds(self): django/trunk/django/forms/forms.py
r9067 r9365 6 6 7 7 from django.utils.datastructures import SortedDict 8 from django.utils.html import escape8 from django.utils.html import conditional_escape 9 9 from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode 10 10 from django.utils.safestring import mark_safe … … 141 141 for name, field in self.fields.items(): 142 142 bf = BoundField(self, field, name) 143 bf_errors = self.error_class([ escape(error) for error in bf.errors]) # Escape and cache in local variable.143 bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) # Escape and cache in local variable. 144 144 if bf.is_hidden: 145 145 if bf_errors: … … 150 150 output.append(error_row % force_unicode(bf_errors)) 151 151 if bf.label: 152 label = escape(force_unicode(bf.label))152 label = conditional_escape(force_unicode(bf.label)) 153 153 # Only add the suffix if the label does not end in 154 154 # punctuation. … … 396 396 If attrs are given, they're used as HTML attributes on the <label> tag. 397 397 """ 398 contents = contents or escape(self.label)398 contents = contents or conditional_escape(self.label) 399 399 widget = self.field.widget 400 400 id_ = widget.attrs.get('id') or self.auto_id django/trunk/django/forms/util.py
r8601 r9365 40 40 if not self: return u'' 41 41 return mark_safe(u'<ul class="errorlist">%s</ul>' 42 % ''.join([u'<li>%s</li>' % force_unicode(e) for e in self]))42 % ''.join([u'<li>%s</li>' % conditional_escape(force_unicode(e)) for e in self])) 43 43 44 44 def as_text(self): django/trunk/tests/regressiontests/forms/forms.py
r8525 r9365 594 594 595 595 Validation errors are HTML-escaped when output as HTML. 596 >>> from django.utils.safestring import mark_safe 596 597 >>> class EscapingForm(Form): 597 ... special_name = CharField() 598 ... special_name = CharField(label="<em>Special</em> Field") 599 ... special_safe_name = CharField(label=mark_safe("<em>Special</em> Field")) 598 600 ... def clean_special_name(self): 599 601 ... raise ValidationError("Something's wrong with '%s'" % self.cleaned_data['special_name']) 600 601 >>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False) 602 ... def clean_special_safe_name(self): 603 ... raise ValidationError(mark_safe("'<b>%s</b>' is a safe string" % self.cleaned_data['special_safe_name'])) 604 605 >>> f = EscapingForm({'special_name': "Nothing to escape", 'special_safe_name': "Nothing to escape"}, auto_id=False) 602 606 >>> print f 603 <tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Nothing to escape'</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr> 604 >>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False) 607 <tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>Something's wrong with 'Nothing to escape'</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr> 608 <tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b>Nothing to escape</b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="Nothing to escape" /></td></tr> 609 >>> f = EscapingForm( 610 ... {'special_name': "Should escape < & > and <script>alert('xss')</script>", 611 ... 'special_safe_name': "<i>Do not escape</i>"}, auto_id=False) 605 612 >>> print f 606 <tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Should escape < & > and <script>alert('xss')</script>'</li></ul><input type="text" name="special_name" value="Should escape < & > and <script>alert('xss')</script>" /></td></tr> 613 <tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>Something's wrong with 'Should escape < & > and <script>alert('xss')</script>'</li></ul><input type="text" name="special_name" value="Should escape < & > and <script>alert('xss')</script>" /></td></tr> 614 <tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b><i>Do not escape</i></b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="<i>Do not escape</i>" /></td></tr> 607 615 608 616 """ + \ django/trunk/tests/regressiontests/forms/util.py
r7971 r9365 50 50 >>> print ValidationError(VeryBadError()).messages 51 51 <ul class="errorlist"><li>A very bad error.</li></ul> 52 53 # Escapes non-safe input but not input marked safe. 54 >>> example = 'Example of link: <a href="http://www.example.com/">example</a>' 55 >>> print ValidationError(example).messages 56 <ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul> 57 >>> print ValidationError(mark_safe(example)).messages 58 <ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul> 52 59 """
