Opened 11 years ago

Closed 11 years ago

Last modified 10 years ago

#1270 closed defect (fixed)

[patch] Escape filter does not escape single quotes to '

Reported by: beegee Owned by: Adrian Holovaty
Component: Template system Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The escape filter does not escape single quotes to '. Why not? It can simply be repaired in the following file http://code.djangoproject.com/browser/django/trunk/django/utils/html.py.

Line 28 in this file states: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;')

Simply extend this line as follows: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&apos;')

When building xml files with the Django template system this is a life saver. Because, now all five internally declared xml entities are nicely escaped by the escape filter.

Attachments (2)

html.diff (606 bytes) - added by scum 11 years ago.
[patch] added unicode replacement (\u0027) to single quotes
html.2.diff (606 bytes) - added by Malcolm Tredinnick <malcolm@…> 11 years ago.
Updated patch using &#39;.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 11 years ago by hugo

The problem with this: apos isn't a valid entity in HTML, it's only valid in XML (and therefore should be valid in XHTML). So it's allways a problem to add it, because anybody producing HTML4 will get invalid entities. Better to replace it by it's unicode numerical encoding, as that is valid in both HTML and XML.

Changed 11 years ago by scum

Attachment: html.diff added

[patch] added unicode replacement (\u0027) to single quotes

comment:2 Changed 11 years ago by anonymous

.replace("'", "\\'")

While I added the unicode patch, couldn't this be used instead?

comment:3 Changed 11 years ago by ffff

What's wrong with &#39; ?

comment:4 Changed 11 years ago by hugo

Nothing is wrong with &#39; Actually that's what I was thinking off ;-)

Changed 11 years ago by Malcolm Tredinnick <malcolm@…>

Attachment: html.2.diff added

Updated patch using &#39;.

comment:5 Changed 11 years ago by Malcolm Tredinnick <malcolm@…>

Summary: Escape filter does not escape single quotes to &apos;[patch] Escape filter does not escape single quotes to &apos;

comment:6 Changed 11 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [2738]) magic-removal: Fixed #1270 -- Made the escape filter escape single quotes

Note: See TracTickets for help on using tickets.
Back to Top