Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#14818 closed (fixed)

cycle tag is not safe

Reported by: Stephen Kelly Owned by: nobody
Component: Template system Version: 1.2
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Luke Plant)

In [1]: from django.template import Template, Context
In [3]: t = Template("{% cycle one two as foo %} {% cycle foo %}")
In [5]: c = Context({"one" : "A & B", "two": "C & D"})
In [6]: t.render(c)
Out[6]: u'A & B C & D'

This is likely fixed by using _render_value_in_context() in the implementation of the cycle node render method.

Attachments (1)

test_cycle.patch (998 bytes) - added by Stephen Kelly 6 years ago.
Tests for documented behaviour

Download all attachments as: .zip

Change History (8)

comment:1 Changed 6 years ago by Matt McClanahan

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: invalid
Status: newclosed

I don't see a bug here. You might be misunderstanding how the cycle tag works.

comment:2 Changed 6 years ago by Stephen Kelly

Resolution: invalid
Status: closedreopened

It's strange that you don't see the bug. The variable is written to the output unescaped.

What do you think I'm missing about how cycle works?

In [1]: from django.template import Template, Context

In [2]: t = Template("{{ one }}, {{ two }}, {% cycle one two as foo %}, {% cycle foo %}")

In [4]: c = Context({"one": "A & B", "two": "C & D"})

In [5]: t.render(c)
Out[5]: u'A & B, C & D, A & B, C & D'

comment:3 Changed 6 years ago by Luke Plant

Description: modified (diff)
Resolution: invalid
Status: reopenedclosed

There is no bug, because the cycle tag is not supposed to escape its output, in common with other template tags. This is clearly explained in the documentation.

Changed 6 years ago by Stephen Kelly

Attachment: test_cycle.patch added

Tests for documented behaviour

comment:4 Changed 6 years ago by Stephen Kelly

Has patch: set
Resolution: invalid
Status: closedreopened

I have uploaded a new patch for tests of the existing behavior instead of changing it.

comment:5 Changed 6 years ago by Russell Keith-Magee

Triage Stage: UnreviewedReady for checkin

Valid tests for the documented behavior.

comment:6 Changed 6 years ago by Russell Keith-Magee

Resolution: fixed
Status: reopenedclosed

(In [15335]) Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

comment:7 Changed 6 years ago by Russell Keith-Magee

(In [15338]) [1.2.X] Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

Backport of r15335 from trunk.

Note: See TracTickets for help on using tickets.
Back to Top