2007-11-14 20:58:53 +08:00
|
|
|
"""
|
|
|
|
Functions for working with "safe strings": strings that can be displayed safely
|
|
|
|
without further escaping in HTML. Marking something as a "safe string" means
|
|
|
|
that the producer of the string has already turned characters that should not
|
|
|
|
be interpreted by the HTML engine (e.g. '<') into the appropriate entities.
|
|
|
|
"""
|
2016-05-11 00:46:47 +08:00
|
|
|
import warnings
|
|
|
|
|
2012-07-20 20:48:51 +08:00
|
|
|
from django.utils import six
|
2016-05-11 00:46:47 +08:00
|
|
|
from django.utils.deprecation import RemovedInDjango20Warning
|
2016-06-03 05:11:43 +08:00
|
|
|
from django.utils.functional import Promise, curry, wraps
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
class EscapeData(object):
|
|
|
|
pass
|
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class EscapeBytes(bytes, EscapeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A byte string that should be HTML-escaped when output.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2014-02-05 12:16:39 +08:00
|
|
|
pass
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 04:12:09 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class EscapeText(six.text_type, EscapeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A unicode string object that should be HTML-escaped when output.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2014-02-05 12:16:39 +08:00
|
|
|
pass
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2016-11-13 01:11:23 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
if six.PY3:
|
|
|
|
EscapeString = EscapeText
|
|
|
|
else:
|
|
|
|
EscapeString = EscapeBytes
|
|
|
|
# backwards compatibility for Python 2
|
|
|
|
EscapeUnicode = EscapeText
|
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
class SafeData(object):
|
2013-10-15 06:40:52 +08:00
|
|
|
def __html__(self):
|
|
|
|
"""
|
2014-12-24 05:29:01 +08:00
|
|
|
Returns the html representation of a string for interoperability.
|
2013-10-15 06:40:52 +08:00
|
|
|
|
2014-12-24 05:29:01 +08:00
|
|
|
This allows other template engines to understand Django's SafeData.
|
2013-10-15 06:40:52 +08:00
|
|
|
"""
|
|
|
|
return self
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class SafeBytes(bytes, SafeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A bytes subclass that has been specifically marked as "safe" (requires no
|
2007-11-14 20:58:53 +08:00
|
|
|
further escaping) for HTML output purposes.
|
|
|
|
"""
|
|
|
|
def __add__(self, rhs):
|
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
Concatenating a safe byte string with another safe byte string or safe
|
|
|
|
unicode string is safe. Otherwise, the result is no longer safe.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
t = super(SafeBytes, self).__add__(rhs)
|
|
|
|
if isinstance(rhs, SafeText):
|
|
|
|
return SafeText(t)
|
|
|
|
elif isinstance(rhs, SafeBytes):
|
|
|
|
return SafeBytes(t)
|
2007-12-03 04:17:10 +08:00
|
|
|
return t
|
2012-07-20 20:48:51 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def _proxy_method(self, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Wrap a call to a normal unicode method up so that we return safe
|
|
|
|
results. The method that is being wrapped is passed in the 'method'
|
|
|
|
argument.
|
|
|
|
"""
|
|
|
|
method = kwargs.pop('method')
|
|
|
|
data = method(self, *args, **kwargs)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(data, bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
else:
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-07-20 20:48:51 +08:00
|
|
|
decode = curry(_proxy_method, method=bytes.decode)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
class SafeText(six.text_type, SafeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
A unicode (Python 2) / str (Python 3) subclass that has been specifically
|
|
|
|
marked as "safe" for HTML output purposes.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
|
|
|
def __add__(self, rhs):
|
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
Concatenating a safe unicode string with another safe byte string or
|
|
|
|
safe unicode string is safe. Otherwise, the result is no longer safe.
|
2007-11-14 20:58:53 +08:00
|
|
|
"""
|
2012-08-18 22:04:06 +08:00
|
|
|
t = super(SafeText, self).__add__(rhs)
|
2007-11-14 20:58:53 +08:00
|
|
|
if isinstance(rhs, SafeData):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(t)
|
2007-12-03 04:17:10 +08:00
|
|
|
return t
|
2012-07-20 20:48:51 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def _proxy_method(self, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Wrap a call to a normal unicode method up so that we return safe
|
|
|
|
results. The method that is being wrapped is passed in the 'method'
|
|
|
|
argument.
|
|
|
|
"""
|
|
|
|
method = kwargs.pop('method')
|
|
|
|
data = method(self, *args, **kwargs)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(data, bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
else:
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(data)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2012-07-20 20:48:51 +08:00
|
|
|
encode = curry(_proxy_method, method=six.text_type.encode)
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2016-11-13 01:11:23 +08:00
|
|
|
|
2012-08-18 22:04:06 +08:00
|
|
|
if six.PY3:
|
|
|
|
SafeString = SafeText
|
|
|
|
else:
|
|
|
|
SafeString = SafeBytes
|
|
|
|
# backwards compatibility for Python 2
|
|
|
|
SafeUnicode = SafeText
|
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2016-06-03 05:11:43 +08:00
|
|
|
def _safety_decorator(safety_marker, func):
|
|
|
|
@wraps(func)
|
|
|
|
def wrapped(*args, **kwargs):
|
|
|
|
return safety_marker(func(*args, **kwargs))
|
|
|
|
return wrapped
|
|
|
|
|
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def mark_safe(s):
|
|
|
|
"""
|
|
|
|
Explicitly mark a string as safe for (HTML) output purposes. The returned
|
|
|
|
object can be used everywhere a string or unicode object is appropriate.
|
|
|
|
|
2016-06-03 05:11:43 +08:00
|
|
|
If used on a method as a decorator, mark the returned data as safe.
|
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
Can be called multiple times on a single string.
|
|
|
|
"""
|
2014-12-24 05:29:01 +08:00
|
|
|
if hasattr(s, '__html__'):
|
2007-11-14 20:58:53 +08:00
|
|
|
return s
|
2012-08-04 21:55:53 +08:00
|
|
|
if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeBytes(s)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(s, (six.text_type, Promise)):
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeText(s)
|
2016-06-03 05:11:43 +08:00
|
|
|
if callable(s):
|
|
|
|
return _safety_decorator(mark_safe, s)
|
2012-08-18 22:04:06 +08:00
|
|
|
return SafeString(str(s))
|
2007-11-14 20:58:53 +08:00
|
|
|
|
2013-11-03 07:53:29 +08:00
|
|
|
|
2007-11-14 20:58:53 +08:00
|
|
|
def mark_for_escaping(s):
|
|
|
|
"""
|
|
|
|
Explicitly mark a string as requiring HTML escaping upon output. Has no
|
|
|
|
effect on SafeData subclasses.
|
|
|
|
|
|
|
|
Can be called multiple times on a single string (the resulting escaping is
|
|
|
|
only applied once).
|
|
|
|
"""
|
2016-05-11 00:46:47 +08:00
|
|
|
warnings.warn('mark_for_escaping() is deprecated.', RemovedInDjango20Warning)
|
2014-12-24 05:29:01 +08:00
|
|
|
if hasattr(s, '__html__') or isinstance(s, EscapeData):
|
2007-11-14 20:58:53 +08:00
|
|
|
return s
|
2012-08-04 21:55:53 +08:00
|
|
|
if isinstance(s, bytes) or (isinstance(s, Promise) and s._delegate_bytes):
|
2012-08-18 22:04:06 +08:00
|
|
|
return EscapeBytes(s)
|
2012-07-20 20:48:51 +08:00
|
|
|
if isinstance(s, (six.text_type, Promise)):
|
2012-08-18 22:04:06 +08:00
|
|
|
return EscapeText(s)
|
2014-12-24 04:49:05 +08:00
|
|
|
return EscapeString(str(s))
|