Ticket #2359: 02-misc-contrib-changes.diff

File 02-misc-contrib-changes.diff, 11.5 KB (added by Malcolm Tredinnick, 18 years ago)

Changes to most of the contrib/ applications (excludes admin)

  • django/contrib/csrf/middleware.py

    Miscellaneous changes to internals to make them use autoescaping.
    
    From:  <>
    
    
    ---
    
     django/contrib/csrf/middleware.py                |    7 ++--
     django/contrib/humanize/templatetags/humanize.py |    4 ++
     django/contrib/markup/templatetags/markup.py     |   16 ++++++---
     django/views/debug.py                            |   38 ++++++++++++----------
     4 files changed, 39 insertions(+), 26 deletions(-)
    
    diff --git a/django/contrib/csrf/middleware.py b/django/contrib/csrf/middleware.py
    index f6f7886..849a379 100644
    a b against request forgeries from other sit  
    77"""
    88from django.conf import settings
    99from django.http import HttpResponseForbidden
     10from django.utils.safestring import mark_safe
    1011import md5
    1112import re
    1213import itertools
    1314
    14 _ERROR_MSG = "<h1>403 Forbidden</h1><p>Cross Site Request Forgery detected.  Request aborted.</p>"
     15_ERROR_MSG = mark_safe("<h1>403 Forbidden</h1><p>Cross Site Request Forgery detected.  Request aborted.</p>")
    1516
    1617_POST_FORM_RE = \
    1718    re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
    class CsrfMiddleware(object):  
    8283                                            itertools.repeat(''))
    8384            def add_csrf_field(match):
    8485                """Returns the matched <form> tag plus the added <input> element"""
    85                 return match.group() + "<div style='display:none;'>" + \
     86                return mark_safe(match.group() + "<div style='display:none;'>" + \
    8687                "<input type='hidden' " + idattributes.next() + \
    8788                " name='csrfmiddlewaretoken' value='" + csrf_token + \
    88                 "' /></div>"
     89                "' /></div>")
    8990
    9091            # Modify any POST forms
    9192            response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
  • django/contrib/humanize/templatetags/humanize.py

    diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py
    index b2d28a0..b2d368b 100644
    a b def ordinal(value):  
    1616    if value % 100 in (11, 12, 13): # special case
    1717        return '%dth' % value
    1818    return '%d%s' % (value, t[value % 10])
     19ordinal.is_safe = True
    1920register.filter(ordinal)
    2021
    2122def intcomma(value):
    def intcomma(value):  
    2930        return new
    3031    else:
    3132        return intcomma(new)
     33intcomma.is_safe = True
    3234register.filter(intcomma)
    3335
    3436def intword(value):
    def intword(value):  
    4749    if value < 1000000000000000:
    4850        return '%.1f trillion' % (value / 1000000000000.0)
    4951    return value
     52intword.is_safe = False
    5053register.filter(intword)
    5154
    5255def apnumber(value):
    def apnumber(value):  
    6164    if not 0 < value < 10:
    6265        return value
    6366    return ('one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine')[value-1]
     67apnumber.is_safe = True
    6468register.filter(apnumber)
  • django/contrib/markup/templatetags/markup.py

    diff --git a/django/contrib/markup/templatetags/markup.py b/django/contrib/markup/templatetags/markup.py
    index 4bb135c..a8a09ce 100644
    a b silently fail and return the un-marked-u  
    1616
    1717from django import template
    1818from django.conf import settings
     19from django.utils.safestring import mark_safe
    1920
    2021register = template.Library()
    2122
    def textile(value):  
    2526    except ImportError:
    2627        if settings.DEBUG:
    2728            raise template.TemplateSyntaxError, "Error in {% textile %} filter: The Python textile library isn't installed."
    28         return value
     29        return mark_safe(value)
    2930    else:
    30         return textile.textile(value, encoding=settings.DEFAULT_CHARSET, output=settings.DEFAULT_CHARSET)
     31        return mark_safe(textile.textile(value, encoding=settings.DEFAULT_CHARSET, output=settings.DEFAULT_CHARSET))
     32textile.is_safe = True
    3133
    3234def markdown(value):
    3335    try:
    def markdown(value):  
    3537    except ImportError:
    3638        if settings.DEBUG:
    3739            raise template.TemplateSyntaxError, "Error in {% markdown %} filter: The Python markdown library isn't installed."
    38         return value
     40        return mark_safe(value)
    3941    else:
    40         return markdown.markdown(value)
     42        return mark_safe(markdown.markdown(value))
     43markdown.is_safe = True
    4144
    4245def restructuredtext(value):
    4346    try:
    def restructuredtext(value):  
    4548    except ImportError:
    4649        if settings.DEBUG:
    4750            raise template.TemplateSyntaxError, "Error in {% restructuredtext %} filter: The Python docutils library isn't installed."
    48         return value
     51        return mark_safe(value)
    4952    else:
    5053        docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {})
    5154        parts = publish_parts(source=value, writer_name="html4css1", settings_overrides=docutils_settings)
    52         return parts["fragment"]
     55        return mark_safe(parts["fragment"])
     56restructuredtext.is_safe = True
    5357
    5458register.filter(textile)
    5559register.filter(markdown)
  • django/views/debug.py

    diff --git a/django/views/debug.py b/django/views/debug.py
    index 6934360..b1b5ca6 100644
    a b TECHNICAL_500_TEMPLATE = """  
    290290  </script>
    291291</head>
    292292<body>
    293 
     293{% autoescape %}
    294294<div id="summary">
    295295  <h1>{{ exception_type }} at {{ request.path }}</h1>
    296   <h2>{{ exception_value|escape }}</h2>
     296  <h2>{{ exception_value }}</h2>
    297297  <table class="meta">
    298298    <tr>
    299299      <th>Request Method:</th>
    TECHNICAL_500_TEMPLATE = """  
    338338<div id="template">
    339339   <h2>Template error</h2>
    340340   <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p>
    341    <h3>{{ template_info.message|escape }}</h3>
     341   <h3>{{ template_info.message }}</h3>
    342342   <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}">
    343343   {% for source_line in template_info.source_lines %}
    344344   {% ifequal source_line.0 template_info.line %}
    TECHNICAL_500_TEMPLATE = """  
    365365          {% if frame.context_line %}
    366366            <div class="context" id="c{{ frame.id }}">
    367367              {% if frame.pre_context %}
    368                 <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
     368                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
    369369              {% endif %}
    370               <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line|escape }} <span>...</span></li></ol>
     370              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol>
    371371              {% if frame.post_context %}
    372                 <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
     372                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
    373373              {% endif %}
    374374            </div>
    375375          {% endif %}
    TECHNICAL_500_TEMPLATE = """  
    389389                {% for var in frame.vars|dictsort:"0" %}
    390390                  <tr>
    391391                    <td>{{ var.0 }}</td>
    392                     <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     392                    <td class="code"><div>{{ var.1|pprint }}</div></td>
    393393                  </tr>
    394394                {% endfor %}
    395395              </tbody>
    Traceback (most recent call last):<br/>  
    409409{% for frame in frames %}
    410410  File "{{ frame.filename }}" in {{ frame.function }}<br/>
    411411  {% if frame.context_line %}
    412     &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
     412    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line }}<br/>
    413413  {% endif %}
    414414{% endfor %}<br/>
    415415&nbsp;&nbsp;{{ exception_type }} at {{ request.path }}<br/>
    416 &nbsp;&nbsp;{{ exception_value|escape }}</code>
     416&nbsp;&nbsp;{{ exception_value }}</code>
    417417          </td>
    418418        </tr>
    419419      </tbody>
    Traceback (most recent call last):<br/>  
    437437        {% for var in request.GET.items %}
    438438          <tr>
    439439            <td>{{ var.0 }}</td>
    440             <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     440            <td class="code"><div>{{ var.1|pprint }}</div></td>
    441441          </tr>
    442442        {% endfor %}
    443443      </tbody>
    Traceback (most recent call last):<br/>  
    459459        {% for var in request.POST.items %}
    460460          <tr>
    461461            <td>{{ var.0 }}</td>
    462             <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     462            <td class="code"><div>{{ var.1|pprint }}</div></td>
    463463          </tr>
    464464        {% endfor %}
    465465      </tbody>
    Traceback (most recent call last):<br/>  
    481481        {% for var in request.COOKIES.items %}
    482482          <tr>
    483483            <td>{{ var.0 }}</td>
    484             <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     484            <td class="code"><div>{{ var.1|pprint }}</div></td>
    485485          </tr>
    486486        {% endfor %}
    487487      </tbody>
    Traceback (most recent call last):<br/>  
    502502      {% for var in request.META.items|dictsort:"0" %}
    503503        <tr>
    504504          <td>{{ var.0 }}</td>
    505           <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     505          <td class="code"><div>{{ var.1|pprint }}</div></td>
    506506        </tr>
    507507      {% endfor %}
    508508    </tbody>
    Traceback (most recent call last):<br/>  
    521521      {% for var in settings.items|dictsort:"0" %}
    522522        <tr>
    523523          <td>{{ var.0 }}</td>
    524           <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
     524          <td class="code"><div>{{ var.1|pprint }}</div></td>
    525525        </tr>
    526526      {% endfor %}
    527527    </tbody>
    Traceback (most recent call last):<br/>  
    536536    display a standard 500 page.
    537537  </p>
    538538</div>
    539 
     539{% endautoescape %}
    540540</body>
    541541</html>
    542542"""
    TECHNICAL_404_TEMPLATE = """  
    567567  </style>
    568568</head>
    569569<body>
     570{% autoescape %}
    570571  <div id="summary">
    571572    <h1>Page not found <span>(404)</span></h1>
    572573    <table class="meta">
    TECHNICAL_404_TEMPLATE = """  
    588589      </p>
    589590      <ol>
    590591        {% for pattern in urlpatterns %}
    591           <li>{{ pattern|escape }}</li>
     592          <li>{{ pattern }}</li>
    592593        {% endfor %}
    593594      </ol>
    594595      <p>The current URL, <code>{{ request.path }}</code>, didn't match any of these.</p>
    595596    {% else %}
    596       <p>{{ reason|escape }}</p>
     597      <p>{{ reason }}</p>
    597598    {% endif %}
    598599  </div>
    599600
    TECHNICAL_404_TEMPLATE = """  
    604605      will display a standard 404 page.
    605606    </p>
    606607  </div>
     608{% endautoescape %}
    607609</body>
    608610</html>
    609611"""
    EMPTY_URLCONF_TEMPLATE = """  
    638640</head>
    639641
    640642<body>
     643{% autoescape %}
    641644<div id="summary">
    642645  <h1>It worked!</h1>
    643646  <h2>Congratulations on your first Django-powered page.</h2>
    EMPTY_URLCONF_TEMPLATE = """  
    657660    Django settings file and you haven't configured any URLs. Get to work!
    658661  </p>
    659662</div>
     663{% endautoescape %}
    660664</body></html>
    661665"""
Back to Top