Opened 2 years ago

Closed 2 years ago

#34578 closed Bug (fixed)

Template filter `join` should not escape the joining string if `autoescape` is `off`

Reported by: Natalia Bidart Owned by: Rajeesh Punathil
Component: Template system Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Consider the following template code snippet:

{% autoescape off %}
{{ some_list|join:some_var }}
{% endautoescape %}

in this case, the items inside some_list will not be escaped (matching the expected behavior) but some_var will forcibly be escaped. From the docs for autoescape or join I don't think this is expected behavior.

The following testcase illustrates what I think is a bug in the join filter (run inside the template_tests/filter_tests folder):

from django.template.defaultfilters import escape
from django.test import SimpleTestCase

from ..utils import setup


class RegressionTests(SimpleTestCase):

    @setup({"join01": '{{ some_list|join:some_var }}'})
    def test_join01(self):
        some_list = ["<p>Hello World!</p>", "beta & me", "<script>Hi!</script>"]
        some_var = "<br/>"
        output = self.engine.render_to_string("join01", {"some_list": some_list, "some_var": some_var})
        self.assertEqual(output, escape(some_var.join(some_list)))

    @setup({"join02": '{% autoescape off %}{{ some_list|join:some_var }}{% endautoescape %}'})
    def test_join02(self):
        some_list = ["<p>Hello World!</p>", "beta & me", "<script>Hi!</script>"]
        some_var = "<br/>"
        output = self.engine.render_to_string("join02", {"some_list": some_list, "some_var": some_var})
        self.assertEqual(output, some_var.join(some_list))

Result of this run in current main is:

.F
======================================================================
FAIL: test_join02 (template_tests.filter_tests.test_regression.RegressionTests.test_join02)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/nessita/fellowship/django/django/test/utils.py", line 443, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/nessita/fellowship/django/tests/template_tests/utils.py", line 58, in inner
    func(self)
  File "/home/nessita/fellowship/django/tests/template_tests/filter_tests/test_regression.py", line 21, in test_join02
    self.assertEqual(output, some_var.join(some_list))
AssertionError: '<p>Hello World!</p>&lt;br/&gt;beta & me&lt;br/&gt;<script>Hi!</script>' != '<p>Hello World!</p><br/>beta & me<br/><script>Hi!</script>'

----------------------------------------------------------------------
Ran 2 tests in 0.007s

Change History (5)

comment:1 by Mariusz Felisiak, 2 years ago

Easy pickings: set
Summary: Template filter `join` should not escape the joining string even if `autoescape` is `off`Template filter `join` should not escape the joining string if `autoescape` is `off`
Triage Stage: UnreviewedAccepted

Off-topic: As far as I'm aware it's easier to follow the expected output in assertions instead of a series of function calls, e.g.

self.assertEqual(output, "<p>Hello World!</p><br/>beta & me<br/><script>Hi!</script>")

comment:2 by Rajeesh Punathil, 2 years ago

Owner: changed from nobody to Rajeesh Punathil
Status: newassigned

comment:3 by Mariusz Felisiak, 2 years ago

Has patch: set

PR

comment:4 by Mariusz Felisiak, 2 years ago

Triage Stage: AcceptedReady for checkin

comment:5 by Mariusz Felisiak <felisiak.mariusz@…>, 2 years ago

Resolution: fixed
Status: assignedclosed

In a2da81f:

Fixed #34578 -- Made "join" template filter respect autoescape for joiner.

Note: See TracTickets for help on using tickets.
Back to Top