2007-11-14 20:58:53 +08:00
|
|
|
"""
|
|
|
|
Functions for working with "safe strings": strings that can be displayed safely
|
|
|
|
without further escaping in HTML. Marking something as a "safe string" means
|
|
|
|
that the producer of the string has already turned characters that should not
|
|
|
|
be interpreted by the HTML engine (e.g. '<') into the appropriate entities.
|
|
|
|
"""
|
2013-04-20 19:38:14 +08:00
|
|
|
from django.utils.functional import curry, Promise, allow_lazy
|
2012-07-20 20:48:51 +08:00
|
|
|
from django.utils import six
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
class EscapeData(object):
|
|
|
|
pass
|
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class EscapeBytes(bytes, EscapeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A byte string that should be HTML-escaped when output.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2013-04-20 19:38:14 +08:00
|
|
|
__new__ = allow_lazy(bytes.__new__, bytes)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class EscapeText(six.text_type, EscapeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A unicode string object that should be HTML-escaped when output.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2013-04-20 19:38:14 +08:00
|
|
|
__new__ = allow_lazy(six.text_type.__new__, six.text_type)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
if six.PY3:
|
|
|
|
EscapeString = EscapeText
|
|
|
|
else:
|
|
|
|
EscapeString = EscapeBytes
|
|
|
|
# backwards compatibility for Python 2
|
|
|
|
EscapeUnicode = EscapeText
|
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
class SafeData(object):
|
2013-10-15 06:40:52 +08:00
|
|
|
def __html__(self):
|
|
|
|
"""
|
|
|
|
Returns the html representation of a string.
|
|
|
|
|
|
|
|
Allows interoperability with other template engines.
|
|
|
|
"""
|
|
|
|
return self
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class SafeBytes(bytes, SafeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A bytes subclass that has been specifically marked as "safe" (requires no
|
2007-11-14 20:58:53 +08:00
|
|
|
further escaping) for HTML output purposes.
|
|
|
|
"""
|
2013-04-20 19:38:14 +08:00
|
|
|
__new__ = allow_lazy(bytes.__new__, bytes)
|
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def __add__(self, rhs):
|
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
Concatenating a safe byte string with another safe byte string or safe
|
|
|
|
unicode string is safe. Otherwise, the result is no longer safe.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
t = super(SafeBytes, self).__add__(rhs)
|
|
|
|
if isinstance(rhs, SafeText):
|
|
|
|
return SafeText(t)
|
|
|
|
elif isinstance(rhs, SafeBytes):
|
|
|
|
return SafeBytes(t)
|
2007-12-03 04:17:10 +08:00
|
|
|
return t
|
2012-07-20 20:48:51 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def _proxy_method(self, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Wrap a call to a normal unicode method up so that we return safe
|
|
|
|
results. The method that is being wrapped is passed in the 'method'
|
|
|
|
argument.
|
|
|
|
"""
|
|
|
|
method = kwargs.pop('method')
|
|
|
|
data = method(self, *args, **kwargs)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(data, bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
else:
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-07-20 20:48:51 +08:00
|
|
|
decode = curry(_proxy_method, method=bytes.decode)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class SafeText(six.text_type, SafeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A unicode (Python 2) / str (Python 3) subclass that has been specifically
|
|
|
|
marked as "safe" for HTML output purposes.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2013-04-20 19:38:14 +08:00
|
|
|
__new__ = allow_lazy(six.text_type.__new__, six.text_type)
|
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def __add__(self, rhs):
|
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
Concatenating a safe unicode string with another safe byte string or
|
|
|
|
safe unicode string is safe. Otherwise, the result is no longer safe.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
t = super(SafeText, self).__add__(rhs)
|
2007-11-14 20:58:53 +08:00
|
|
|
if isinstance(rhs, SafeData):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(t)
|
2007-12-03 04:17:10 +08:00
|
|
|
return t
|
2012-07-20 20:48:51 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def _proxy_method(self, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Wrap a call to a normal unicode method up so that we return safe
|
|
|
|
results. The method that is being wrapped is passed in the 'method'
|
|
|
|
argument.
|
|
|
|
"""
|
|
|
|
method = kwargs.pop('method')
|
|
|
|
data = method(self, *args, **kwargs)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(data, bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
else:
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-07-20 20:48:51 +08:00
|
|
|
encode = curry(_proxy_method, method=six.text_type.encode)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
if six.PY3:
|
|
|
|
SafeString = SafeText
|
|
|
|
else:
|
|
|
|
SafeString = SafeBytes
|
|
|
|
# backwards compatibility for Python 2
|
|
|
|
SafeUnicode = SafeText
|
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def mark_safe(s):
|
|
|
|
"""
|
|
|
|
Explicitly mark a string as safe for (HTML) output purposes. The returned
|
|
|
|
object can be used everywhere a string or unicode object is appropriate.
|
|
|
|
|
|
|
|
Can be called multiple times on a single string.
|
|
|
|
"""
|
|
|
|
if isinstance(s, SafeData):
|
|
|
|
return s
|
2012-08-04 21:55:53 +08:00
|
|
|
if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(s)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(s, (six.text_type, Promise)):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(s)
|
|
|
|
return SafeString(str(s))
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def mark_for_escaping(s):
|
|
|
|
"""
|
|
|
|
Explicitly mark a string as requiring HTML escaping upon output. Has no
|
|
|
|
effect on SafeData subclasses.
|
|
|
|
|
|
|
|
Can be called multiple times on a single string (the resulting escaping is
|
|
|
|
only applied once).
|
|
|
|
"""
|
|
|
|
if isinstance(s, (SafeData, EscapeData)):
|
|
|
|
return s
|
2012-08-04 21:55:53 +08:00
|
|
|
if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return EscapeBytes(s)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(s, (six.text_type, Promise)):
|
2012-08-18 22:04:06 +08:00
|
|
|
return EscapeText(s)
|
|
|
|
return EscapeBytes(bytes(s))
|