Ticket #2359: 02-misc-contrib-changes.2.diff

django/contrib/csrf/middleware.py

@@ -7 +7 @@
 """
 from django.conf import settings
 from django.http import HttpResponseForbidden
+from django.utils.safestring import mark_safe
 import md5
 import re
 import itertools
 
-_ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>'
+_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
 
 _POST_FORM_RE = \
     re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
@@ -82 +83 @@
                                             itertools.repeat(''))
             def add_csrf_field(match):
                 """Returns the matched <form> tag plus the added <input> element"""
-                return match.group() + "<div style='display:none;'>" + \
+                return mark_safe(match.group() + "<div style='display:none;'>" + \
                 "<input type='hidden' " + idattributes.next() + \
                 " name='csrfmiddlewaretoken' value='" + csrf_token + \
-                "' /></div>"
+                "' /></div>")
 
             # Modify any POST forms
             response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)

django/contrib/humanize/templatetags/humanize.py

@@ -16 +16 @@
     if value % 100 in (11, 12, 13): # special case
         return '%dth' % value
     return '%d%s' % (value, t[value % 10])
+ordinal.is_safe = True
 register.filter(ordinal)
 
 def intcomma(value):
@@ -29 +30 @@
         return new
     else:
         return intcomma(new)
+intcomma.is_safe = True
 register.filter(intcomma)
 
 def intword(value):
@@ -47 +49 @@
     if value < 1000000000000000:
         return '%.1f trillion' % (value / 1000000000000.0)
     return value
+intword.is_safe = False
 register.filter(intword)
 
 def apnumber(value):
@@ -61 +64 @@
     if not 0 < value < 10:
         return value
     return ('one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine')[value-1]
+apnumber.is_safe = True
 register.filter(apnumber)

django/contrib/markup/templatetags/markup.py

@@ -16 +16 @@
 
 from django import template
 from django.conf import settings
+from django.utils.safestring import mark_safe
 
 register = template.Library()
 
@@ -25 +26 @@
     except ImportError:
         if settings.DEBUG:
             raise template.TemplateSyntaxError, "Error in {% textile %} filter: The Python textile library isn't installed."
-        return value
+        return mark_safe(value)
     else:
-        return textile.textile(value, encoding=settings.DEFAULT_CHARSET, output=settings.DEFAULT_CHARSET)
+        return mark_safe(textile.textile(value, encoding=settings.DEFAULT_CHARSET, output=settings.DEFAULT_CHARSET))
+textile.is_safe = True
 
 def markdown(value):
     try:
@@ -35 +37 @@
     except ImportError:
         if settings.DEBUG:
             raise template.TemplateSyntaxError, "Error in {% markdown %} filter: The Python markdown library isn't installed."
-        return value
+        return mark_safe(value)
     else:
-        return markdown.markdown(value)
+        return mark_safe(markdown.markdown(value))
+markdown.is_safe = True
 
 def restructuredtext(value):
     try:
@@ -45 +48 @@
     except ImportError:
         if settings.DEBUG:
             raise template.TemplateSyntaxError, "Error in {% restructuredtext %} filter: The Python docutils library isn't installed."
-        return value
+        return mark_safe(value)
     else:
         docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {})
         parts = publish_parts(source=value, writer_name="html4css1", settings_overrides=docutils_settings)
-        return parts["fragment"]
+        return mark_safe(parts["fragment"])
+restructuredtext.is_safe = True
 
 register.filter(textile)
 register.filter(markdown)

django/views/debug.py

@@ -290 +290 @@
   </script>
 </head>
 <body>
-
+{% autoescape %}
 <div id="summary">
   <h1>{{ exception_type }} at {{ request.path|escape }}</h1>
   <h2>{{ exception_value|escape }}</h2>
@@ -338 +338 @@
 <div id="template">
    <h2>Template error</h2>
    <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p>
-   <h3>{{ template_info.message|escape }}</h3>
+   <h3>{{ template_info.message }}</h3>
    <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}">
    {% for source_line in template_info.source_lines %}
    {% ifequal source_line.0 template_info.line %}
@@ -365 +365 @@
           {% if frame.context_line %}
             <div class="context" id="c{{ frame.id }}">
               {% if frame.pre_context %}
-                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
+                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
               {% endif %}
-              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line|escape }} <span>...</span></li></ol>
+              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol>
               {% if frame.post_context %}
-                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
+                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
               {% endif %}
             </div>
           {% endif %}
@@ -389 +389 @@
                 {% for var in frame.vars|dictsort:"0" %}
                   <tr>
                     <td>{{ var.0 }}</td>
-                    <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+                    <td class="code"><div>{{ var.1|pprint }}</div></td>
                   </tr>
                 {% endfor %}
               </tbody>
@@ -409 +409 @@
 {% for frame in frames %}
   File "{{ frame.filename }}" in {{ frame.function }}<br/>
   {% if frame.context_line %}
-    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
+    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line }}<br/>
   {% endif %}
 {% endfor %}<br/>
 &nbsp;&nbsp;{{ exception_type }} at {{ request.path|escape }}<br/>
@@ -437 +437 @@
         {% for var in request.GET.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -459 +459 @@
         {% for var in request.POST.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -481 +481 @@
         {% for var in request.COOKIES.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -502 +502 @@
       {% for var in request.META.items|dictsort:"0" %}
         <tr>
           <td>{{ var.0 }}</td>
-          <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+          <td class="code"><div>{{ var.1|pprint }}</div></td>
         </tr>
       {% endfor %}
     </tbody>
@@ -521 +521 @@
       {% for var in settings.items|dictsort:"0" %}
         <tr>
           <td>{{ var.0 }}</td>
-          <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+          <td class="code"><div>{{ var.1|pprint }}</div></td>
         </tr>
       {% endfor %}
     </tbody>
@@ -536 +536 @@
     display a standard 500 page.
   </p>
 </div>
-
+{% endautoescape %}
 </body>
 </html>
 """
@@ -567 +567 @@
   </style>
 </head>
 <body>
+{% autoescape %}
   <div id="summary">
     <h1>Page not found <span>(404)</span></h1>
     <table class="meta">
@@ -588 +589 @@
       </p>
       <ol>
         {% for pattern in urlpatterns %}
-          <li>{{ pattern|escape }}</li>
+          <li>{{ pattern }}</li>
         {% endfor %}
       </ol>
       <p>The current URL, <code>{{ request.path|escape }}</code>, didn't match any of these.</p>
     {% else %}
-      <p>{{ reason|escape }}</p>
+      <p>{{ reason }}</p>
     {% endif %}
   </div>
 
@@ -604 +605 @@
       will display a standard 404 page.
     </p>
   </div>
+{% endautoescape %}
 </body>
 </html>
 """
@@ -638 +640 @@
 </head>
 
 <body>
+{% autoescape %}
 <div id="summary">
   <h1>It worked!</h1>
   <h2>Congratulations on your first Django-powered page.</h2>
@@ -657 +660 @@
     Django settings file and you haven't configured any URLs. Get to work!
   </p>
 </div>
+{% endautoescape %}
 </body></html>
 """