Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#1270 closed defect (fixed)

[patch] Escape filter does not escape single quotes to '

Reported by: beegee Owned by: adrian
Component: Template system Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The escape filter does not escape single quotes to '. Why not? It can simply be repaired in the following file http://code.djangoproject.com/browser/django/trunk/django/utils/html.py.

Line 28 in this file states: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;')

Simply extend this line as follows: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&apos;')

When building xml files with the Django template system this is a life saver. Because, now all five internally declared xml entities are nicely escaped by the escape filter.

Attachments (2)

html.diff (606 bytes) - added by scum 9 years ago.
[patch] added unicode replacement (\u0027) to single quotes
html.2.diff (606 bytes) - added by Malcolm Tredinnick <malcolm@…> 9 years ago.
Updated patch using &#39;.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 9 years ago by hugo

The problem with this: apos isn't a valid entity in HTML, it's only valid in XML (and therefore should be valid in XHTML). So it's allways a problem to add it, because anybody producing HTML4 will get invalid entities. Better to replace it by it's unicode numerical encoding, as that is valid in both HTML and XML.

Changed 9 years ago by scum

[patch] added unicode replacement (\u0027) to single quotes

comment:2 Changed 9 years ago by anonymous

.replace("'", "\\'")

While I added the unicode patch, couldn't this be used instead?

comment:3 Changed 9 years ago by ffff

What's wrong with &#39; ?

comment:4 Changed 9 years ago by hugo

Nothing is wrong with &#39; Actually that's what I was thinking off ;-)

Changed 9 years ago by Malcolm Tredinnick <malcolm@…>

Updated patch using &#39;.

comment:5 Changed 9 years ago by Malcolm Tredinnick <malcolm@…>

  • Summary changed from Escape filter does not escape single quotes to &apos; to [patch] Escape filter does not escape single quotes to &apos;

comment:6 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [2738]) magic-removal: Fixed #1270 -- Made the escape filter escape single quotes

Note: See TracTickets for help on using tickets.
Back to Top