Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#14818 closed (fixed)

cycle tag is not safe

Reported by: Stephen Kelly Owned by: nobody
Component: Template system Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Luke Plant)

In [1]: from django.template import Template, Context
In [3]: t = Template("{% cycle one two as foo %} {% cycle foo %}")
In [5]: c = Context({"one" : "A & B", "two": "C & D"})
In [6]: t.render(c)
Out[6]: u'A & B C & D'

This is likely fixed by using _render_value_in_context() in the implementation of the cycle node render method.

Attachments (1)

test_cycle.patch (998 bytes ) - added by Stephen Kelly 13 years ago.
Tests for documented behaviour

Download all attachments as: .zip

Change History (8)

comment:1 by Matt McClanahan, 13 years ago

Resolution: invalid
Status: newclosed

I don't see a bug here. You might be misunderstanding how the cycle tag works.

comment:2 by Stephen Kelly, 13 years ago

Resolution: invalid
Status: closedreopened

It's strange that you don't see the bug. The variable is written to the output unescaped.

What do you think I'm missing about how cycle works?

In [1]: from django.template import Template, Context

In [2]: t = Template("{{ one }}, {{ two }}, {% cycle one two as foo %}, {% cycle foo %}")

In [4]: c = Context({"one": "A & B", "two": "C & D"})

In [5]: t.render(c)
Out[5]: u'A & B, C & D, A & B, C & D'

comment:3 by Luke Plant, 13 years ago

Description: modified (diff)
Resolution: invalid
Status: reopenedclosed

There is no bug, because the cycle tag is not supposed to escape its output, in common with other template tags. This is clearly explained in the documentation.

by Stephen Kelly, 13 years ago

Attachment: test_cycle.patch added

Tests for documented behaviour

comment:4 by Stephen Kelly, 13 years ago

Has patch: set
Resolution: invalid
Status: closedreopened

I have uploaded a new patch for tests of the existing behavior instead of changing it.

comment:5 by Russell Keith-Magee, 13 years ago

Triage Stage: UnreviewedReady for checkin

Valid tests for the documented behavior.

comment:6 by Russell Keith-Magee, 13 years ago

Resolution: fixed
Status: reopenedclosed

(In [15335]) Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

comment:7 by Russell Keith-Magee, 13 years ago

(In [15338]) [1.2.X] Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

Backport of r15335 from trunk.

Note: See TracTickets for help on using tickets.
Back to Top