Ticket #2359: rev5722-02-misc-contrib-changes.diff

django/contrib/csrf/middleware.py

@@ -7 +7 @@
 """
 from django.conf import settings
 from django.http import HttpResponseForbidden
+from django.utils.safestring import mark_safe
 import md5
 import re
 import itertools
 
-_ERROR_MSG = '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>'
+_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')
 
 _POST_FORM_RE = \
     re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)
@@ -82 +83 @@
                                             itertools.repeat(''))
             def add_csrf_field(match):
                 """Returns the matched <form> tag plus the added <input> element"""
-                return match.group() + "<div style='display:none;'>" + \
+                return mark_safe(match.group() + "<div style='display:none;'>" + \
                 "<input type='hidden' " + idattributes.next() + \
                 " name='csrfmiddlewaretoken' value='" + csrf_token + \
-                "' /></div>"
+                "' /></div>")
 
             # Modify any POST forms
             response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)

django/contrib/humanize/templatetags/humanize.py

@@ -18 +18 @@
     if value % 100 in (11, 12, 13): # special case
         return u"%d%s" % (value, t[0])
     return u'%d%s' % (value, t[value % 10])
+ordinal.is_safe = True
 register.filter(ordinal)
 
 def intcomma(value):
@@ -31 +32 @@
         return new
     else:
         return intcomma(new)
+intcomma.is_safe = True
 register.filter(intcomma)
 
 def intword(value):
@@ -52 +54 @@
         new_value = value / 1000000000000.0
         return ungettext('%(value).1f trillion', '%(value).1f trillion', new_value) % {'value': new_value}
     return value
+intword.is_safe = False
 register.filter(intword)
 
 def apnumber(value):
@@ -66 +69 @@
     if not 0 < value < 10:
         return value
     return (_('one'), _('two'), _('three'), _('four'), _('five'), _('six'), _('seven'), _('eight'), _('nine'))[value-1]
+apnumber.is_safe = True
 register.filter(apnumber)

django/contrib/markup/templatetags/markup.py

@@ -17 +17 @@
 from django import template
 from django.conf import settings
 from django.utils.encoding import smart_str, force_unicode
+from django.utils.safestring import mark_safe
 
 register = template.Library()
 
@@ -28 +29 @@
             raise template.TemplateSyntaxError, "Error in {% textile %} filter: The Python textile library isn't installed."
         return force_unicode(value)
     else:
-        return force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8'))
+        return mark_safe(force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8')))
+textile.is_safe = True
 
 def markdown(value):
     try:
@@ -38 +40 @@
             raise template.TemplateSyntaxError, "Error in {% markdown %} filter: The Python markdown library isn't installed."
         return force_unicode(value)
     else:
-        return force_unicode(markdown.markdown(smart_str(value)))
+        return mark_safe(force_unicode(markdown.markdown(smart_str(value))))
+markdown.is_safe = True
 
 def restructuredtext(value):
     try:
@@ -50 +53 @@
     else:
         docutils_settings = getattr(settings, "RESTRUCTUREDTEXT_FILTER_SETTINGS", {})
         parts = publish_parts(source=smart_str(value), writer_name="html4css1", settings_overrides=docutils_settings)
-        return force_unicode(parts["fragment"])
+        return mark_safe(force_unicode(parts["fragment"]))
+restructuredtext.is_safe = True
 
 register.filter(textile)
 register.filter(markdown)

django/views/debug.py

@@ -323 +323 @@
   </script>
 </head>
 <body>
-
+{% autoescape %}
 <div id="summary">
   <h1>{{ exception_type }} at {{ request.path|escape }}</h1>
   <h2>{{ exception_value|escape }}</h2>
@@ -379 +379 @@
 <div id="template">
    <h2>Template error</h2>
    <p>In template <code>{{ template_info.name }}</code>, error at line <strong>{{ template_info.line }}</strong></p>
-   <h3>{{ template_info.message|escape }}</h3>
+   <h3>{{ template_info.message }}</h3>
    <table class="source{% if template_info.top %} cut-top{% endif %}{% ifnotequal template_info.bottom template_info.total %} cut-bottom{% endifnotequal %}">
    {% for source_line in template_info.source_lines %}
    {% ifequal source_line.0 template_info.line %}
@@ -406 +406 @@
           {% if frame.context_line %}
             <div class="context" id="c{{ frame.id }}">
               {% if frame.pre_context %}
-                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
+                <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
               {% endif %}
-              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line|escape }} <span>...</span></li></ol>
+              <ol start="{{ frame.lineno }}" class="context-line"><li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ frame.context_line }} <span>...</span></li></ol>
               {% if frame.post_context %}
-                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape }}</li>{% endfor %}</ol>
+                <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">{% for line in frame.post_context %}<li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{% endfor %}</ol>
               {% endif %}
             </div>
           {% endif %}
@@ -430 +430 @@
                 {% for var in frame.vars|dictsort:"0" %}
                   <tr>
                     <td>{{ var.0 }}</td>
-                    <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+                    <td class="code"><div>{{ var.1|pprint }}</div></td>
                   </tr>
                 {% endfor %}
               </tbody>
@@ -450 +450 @@
 {% for frame in frames %}
   File "{{ frame.filename }}" in {{ frame.function }}<br/>
   {% if frame.context_line %}
-    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
+    &nbsp;&nbsp;{{ frame.lineno }}. {{ frame.context_line }}<br/>
   {% endif %}
 {% endfor %}<br/>
 &nbsp;&nbsp;{{ exception_type }} at {{ request.path|escape }}<br/>
@@ -478 +478 @@
         {% for var in request.GET.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -500 +500 @@
         {% for var in request.POST.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -522 +522 @@
         {% for var in request.COOKIES.items %}
           <tr>
             <td>{{ var.0 }}</td>
-            <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+            <td class="code"><div>{{ var.1|pprint }}</div></td>
           </tr>
         {% endfor %}
       </tbody>
@@ -543 +543 @@
       {% for var in request.META.items|dictsort:"0" %}
         <tr>
           <td>{{ var.0 }}</td>
-          <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+          <td class="code"><div>{{ var.1|pprint }}</div></td>
         </tr>
       {% endfor %}
     </tbody>
@@ -562 +562 @@
       {% for var in settings.items|dictsort:"0" %}
         <tr>
           <td>{{ var.0 }}</td>
-          <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
+          <td class="code"><div>{{ var.1|pprint }}</div></td>
         </tr>
       {% endfor %}
     </tbody>
@@ -577 +577 @@
     display a standard 500 page.
   </p>
 </div>
-
+{% endautoescape %}
 </body>
 </html>
 """
@@ -608 +608 @@
   </style>
 </head>
 <body>
+{% autoescape %}
   <div id="summary">
     <h1>Page not found <span>(404)</span></h1>
     <table class="meta">
@@ -629 +630 @@
       </p>
       <ol>
         {% for pattern in urlpatterns %}
-          <li>{{ pattern|escape }}</li>
+          <li>{{ pattern }}</li>
         {% endfor %}
       </ol>
       <p>The current URL, <code>{{ request_path|escape }}</code>, didn't match any of these.</p>
     {% else %}
-      <p>{{ reason|escape }}</p>
+      <p>{{ reason }}</p>
     {% endif %}
   </div>
 
@@ -645 +646 @@
       will display a standard 404 page.
     </p>
   </div>
+{% endautoescape %}
 </body>
 </html>
 """
@@ -679 +681 @@
 </head>
 
 <body>
+{% autoescape %}
 <div id="summary">
   <h1>It worked!</h1>
   <h2>Congratulations on your first Django-powered page.</h2>
@@ -698 +701 @@
     Django settings file and you haven't configured any URLs. Get to work!
   </p>
 </div>
+{% endautoescape %}
 </body></html>
 """