Ticket #5730: widget_escaping.diff

File widget_escaping.diff, 7.9 KB (added by SmileyChris, 7 years ago)
  • tests/regressiontests/forms/widgets.py

     
    22tests = r"""
    33>>> from django.newforms import *
    44>>> from django.newforms.widgets import RadioFieldRenderer
     5>>> from django.utils.safestring import mark_safe
    56>>> import datetime
    67>>> import time
    78>>> import re
     
    205206u'<textarea rows="10" cols="40" name="msg">value</textarea>'
    206207>>> w.render('msg', 'some "quoted" & ampersanded value')
    207208u'<textarea rows="10" cols="40" name="msg">some &quot;quoted&quot; &amp; ampersanded value</textarea>'
     209>>> w.render('msg', mark_safe('pre &quot;quoted&quot; value'))
     210u'<textarea rows="10" cols="40" name="msg">pre &quot;quoted&quot; value</textarea>'
    208211>>> w.render('msg', 'value', attrs={'class': 'pretty', 'rows': 20})
    209212u'<textarea class="pretty" rows="20" cols="40" name="msg">value</textarea>'
    210213
     
    375378<option value="5">5</option>
    376379</select>
    377380
     381# Choices are escaped correctly
     382>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you &gt; me'))))
     383<select name="escape">
     384<option value="1">1</option>
     385<option value="2">2</option>
     386<option value="3">3</option>
     387<option value="bad">you &amp; me</option>
     388<option value="good">you &gt; me</option>
     389</select>
     390
     391# Unicode choices are correctly rendered as HTML
    378392>>> w.render('email', 'ŠĐĆŽćžšđ', choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')])
    379393u'<select name="email">\n<option value="1">1</option>\n<option value="2">2</option>\n<option value="3">3</option>\n<option value="\u0160\u0110\u0106\u017d\u0107\u017e\u0161\u0111" selected="selected">\u0160\u0110abc\u0106\u017d\u0107\u017e\u0161\u0111</option>\n<option value="\u0107\u017e\u0161\u0111">abc\u0107\u017e\u0161\u0111</option>\n</select>'
    380394
     
    538552<option value="5">5</option>
    539553</select>
    540554
     555# Choices are escaped correctly
     556>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you &gt; me'))))
     557<select multiple="multiple" name="escape">
     558<option value="1">1</option>
     559<option value="2">2</option>
     560<option value="3">3</option>
     561<option value="bad">you &amp; me</option>
     562<option value="good">you &gt; me</option>
     563</select>
     564
     565# Unicode choices are correctly rendered as HTML
    541566>>> w.render('nums', ['ŠĐĆŽćžšđ'], choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')])
    542567u'<select multiple="multiple" name="nums">\n<option value="1">1</option>\n<option value="2">2</option>\n<option value="3">3</option>\n<option value="\u0160\u0110\u0106\u017d\u0107\u017e\u0161\u0111" selected="selected">\u0160\u0110abc\u0106\u017d\u0107\u017e\u0161\u0111</option>\n<option value="\u0107\u017e\u0161\u0111">abc\u0107\u017e\u0161\u0111</option>\n</select>'
    543568
     
    682707...
    683708IndexError: list index out of range
    684709
     710# Choices are escaped correctly
     711>>> w = RadioSelect()
     712>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you &gt; me'))))
     713<ul>
     714<li><label><input type="radio" name="escape" value="bad" /> you &amp; me</label></li>
     715<li><label><input type="radio" name="escape" value="good" /> you &gt; me</label></li>
     716</ul>
     717
    685718# Unicode choices are correctly rendered as HTML
    686719>>> w = RadioSelect()
    687720>>> unicode(w.render('email', 'ŠĐĆŽćžšđ', choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')]))
     
    811844<li><label><input type="checkbox" name="nums" value="5" /> 5</label></li>
    812845</ul>
    813846
     847# Choices are escaped correctly
     848>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you &gt; me'))))
     849<ul>
     850<li><label><input type="checkbox" name="escape" value="1" /> 1</label></li>
     851<li><label><input type="checkbox" name="escape" value="2" /> 2</label></li>
     852<li><label><input type="checkbox" name="escape" value="3" /> 3</label></li>
     853<li><label><input type="checkbox" name="escape" value="bad" /> you &amp; me</label></li>
     854<li><label><input type="checkbox" name="escape" value="good" /> you &gt; me</label></li>
     855</ul>
     856
     857# Unicode choices are correctly rendered as HTML
    814858>>> w.render('nums', ['ŠĐĆŽćžšđ'], choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')])
    815859u'<ul>\n<li><label><input type="checkbox" name="nums" value="1" /> 1</label></li>\n<li><label><input type="checkbox" name="nums" value="2" /> 2</label></li>\n<li><label><input type="checkbox" name="nums" value="3" /> 3</label></li>\n<li><label><input checked="checked" type="checkbox" name="nums" value="\u0160\u0110\u0106\u017d\u0107\u017e\u0161\u0111" /> \u0160\u0110abc\u0106\u017d\u0107\u017e\u0161\u0111</label></li>\n<li><label><input type="checkbox" name="nums" value="\u0107\u017e\u0161\u0111" /> abc\u0107\u017e\u0161\u0111</label></li>\n</ul>'
    816860
  • django/newforms/widgets.py

     
    1111from itertools import chain
    1212
    1313from django.utils.datastructures import MultiValueDict
    14 from django.utils.html import escape
     14from django.utils.html import escape, conditional_escape
    1515from django.utils.translation import ugettext
    1616from django.utils.encoding import StrAndUnicode, force_unicode
    1717from django.utils.safestring import mark_safe
     
    155155        value = force_unicode(value)
    156156        final_attrs = self.build_attrs(attrs, name=name)
    157157        return mark_safe(u'<textarea%s>%s</textarea>' % (flatatt(final_attrs),
    158                 escape(value)))
     158                conditional_escape(force_unicode(value))))
    159159
    160160class DateTimeInput(Input):
    161161    input_type = 'text'
     
    217217        for option_value, option_label in chain(self.choices, choices):
    218218            option_value = force_unicode(option_value)
    219219            selected_html = (option_value == str_value) and u' selected="selected"' or ''
    220             output.append(u'<option value="%s"%s>%s</option>' % (escape(option_value), selected_html, escape(force_unicode(option_label))))
     220            output.append(u'<option value="%s"%s>%s</option>' % (
     221                    escape(option_value), selected_html,
     222                    conditional_escape(force_unicode(option_label))))
    221223        output.append(u'</select>')
    222224        return mark_safe(u'\n'.join(output))
    223225
     
    254256        for option_value, option_label in chain(self.choices, choices):
    255257            option_value = force_unicode(option_value)
    256258            selected_html = (option_value in str_values) and ' selected="selected"' or ''
    257             output.append(u'<option value="%s"%s>%s</option>' % (escape(option_value), selected_html, escape(force_unicode(option_label))))
     259            output.append(u'<option value="%s"%s>%s</option>' % (
     260                    escape(option_value), selected_html,
     261                    conditional_escape(force_unicode(option_label))))
    258262        output.append(u'</select>')
    259263        return mark_safe(u'\n'.join(output))
    260264
     
    278282
    279283    def __unicode__(self):
    280284        return mark_safe(u'<label>%s %s</label>' % (self.tag(),
    281                 self.choice_label))
     285                conditional_escape(force_unicode(self.choice_label))))
    282286
    283287    def is_checked(self):
    284288        return self.value == self.choice_value
     
    361365            cb = CheckboxInput(final_attrs, check_test=lambda value: value in str_values)
    362366            option_value = force_unicode(option_value)
    363367            rendered_cb = cb.render(name, option_value)
    364             output.append(u'<li><label>%s %s</label></li>' % (rendered_cb, escape(force_unicode(option_label))))
     368            output.append(u'<li><label>%s %s</label></li>' % (rendered_cb,
     369                    conditional_escape(force_unicode(option_label))))
    365370        output.append(u'</ul>')
    366371        return mark_safe(u'\n'.join(output))
    367372
Back to Top