Opened 18 years ago

Closed 18 years ago

Last modified 17 years ago

#1270 closed defect (fixed)

[patch] Escape filter does not escape single quotes to '

Reported by: beegee Owned by: Adrian Holovaty
Component: Template system Version:
Severity: major Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The escape filter does not escape single quotes to '. Why not? It can simply be repaired in the following file http://code.djangoproject.com/browser/django/trunk/django/utils/html.py.

Line 28 in this file states: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;')

Simply extend this line as follows: return html.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&apos;')

When building xml files with the Django template system this is a life saver. Because, now all five internally declared xml entities are nicely escaped by the escape filter.

Attachments (2)

html.diff (606 bytes ) - added by scum 18 years ago.
[patch] added unicode replacement (\u0027) to single quotes
html.2.diff (606 bytes ) - added by Malcolm Tredinnick <malcolm@…> 18 years ago.
Updated patch using &#39;.

Download all attachments as: .zip

Change History (8)

comment:1 by hugo, 18 years ago

The problem with this: apos isn't a valid entity in HTML, it's only valid in XML (and therefore should be valid in XHTML). So it's allways a problem to add it, because anybody producing HTML4 will get invalid entities. Better to replace it by it's unicode numerical encoding, as that is valid in both HTML and XML.

by scum, 18 years ago

Attachment: html.diff added

[patch] added unicode replacement (\u0027) to single quotes

comment:2 by anonymous, 18 years ago

.replace("'", "\\'")

While I added the unicode patch, couldn't this be used instead?

comment:3 by ffff, 18 years ago

What's wrong with &#39; ?

comment:4 by hugo, 18 years ago

Nothing is wrong with &#39; Actually that's what I was thinking off ;-)

by Malcolm Tredinnick <malcolm@…>, 18 years ago

Attachment: html.2.diff added

Updated patch using &#39;.

comment:5 by Malcolm Tredinnick <malcolm@…>, 18 years ago

Summary: Escape filter does not escape single quotes to &apos;[patch] Escape filter does not escape single quotes to &apos;

comment:6 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [2738]) magic-removal: Fixed #1270 -- Made the escape filter escape single quotes

Note: See TracTickets for help on using tickets.
Back to Top