From 1c87a7bb58c24f0ba1b89a9e5776eb24116caa08 Mon Sep 17 00:00:00 2001 From: Malcolm Tredinnick Date: Wed, 28 Nov 2007 20:19:54 +0000 Subject: [PATCH] Fixed #5730: Conditionally escape widget contents in newforms to avoid inadvertent double-escaping. This still isn't perfect behaviour (since it's unaware of the current context's auto-escaping setting), but that's a larger problem that needs fixing and this change at least makes the existing behaviour consistent. Patch from SmileyChris. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6722 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/newforms/widgets.py | 17 ++++++---- tests/regressiontests/forms/widgets.py | 44 ++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 6 deletions(-) diff --git a/django/newforms/widgets.py b/django/newforms/widgets.py index a2d5f52ff1..580834857e 100644 --- a/django/newforms/widgets.py +++ b/django/newforms/widgets.py @@ -11,7 +11,7 @@ import copy from itertools import chain from django.utils.datastructures import MultiValueDict -from django.utils.html import escape +from django.utils.html import escape, conditional_escape from django.utils.translation import ugettext from django.utils.encoding import StrAndUnicode, force_unicode from django.utils.safestring import mark_safe @@ -155,7 +155,7 @@ class Textarea(Widget): value = force_unicode(value) final_attrs = self.build_attrs(attrs, name=name) return mark_safe(u'%s' % (flatatt(final_attrs), - escape(value))) + conditional_escape(force_unicode(value)))) class DateTimeInput(Input): input_type = 'text' @@ -217,7 +217,9 @@ class Select(Widget): for option_value, option_label in chain(self.choices, choices): option_value = force_unicode(option_value) selected_html = (option_value == str_value) and u' selected="selected"' or '' - output.append(u'' % (escape(option_value), selected_html, escape(force_unicode(option_label)))) + output.append(u'' % ( + escape(option_value), selected_html, + conditional_escape(force_unicode(option_label)))) output.append(u'') return mark_safe(u'\n'.join(output)) @@ -254,7 +256,9 @@ class SelectMultiple(Widget): for option_value, option_label in chain(self.choices, choices): option_value = force_unicode(option_value) selected_html = (option_value in str_values) and ' selected="selected"' or '' - output.append(u'' % (escape(option_value), selected_html, escape(force_unicode(option_label)))) + output.append(u'' % ( + escape(option_value), selected_html, + conditional_escape(force_unicode(option_label)))) output.append(u'') return mark_safe(u'\n'.join(output)) @@ -278,7 +282,7 @@ class RadioInput(StrAndUnicode): def __unicode__(self): return mark_safe(u'' % (self.tag(), - self.choice_label)) + conditional_escape(force_unicode(self.choice_label)))) def is_checked(self): return self.value == self.choice_value @@ -363,7 +367,8 @@ class CheckboxSelectMultiple(SelectMultiple): cb = CheckboxInput(final_attrs, check_test=lambda value: value in str_values) option_value = force_unicode(option_value) rendered_cb = cb.render(name, option_value) - output.append(u'
  • ' % (rendered_cb, escape(force_unicode(option_label)))) + output.append(u'
  • ' % (rendered_cb, + conditional_escape(force_unicode(option_label)))) output.append(u'') return mark_safe(u'\n'.join(output)) diff --git a/tests/regressiontests/forms/widgets.py b/tests/regressiontests/forms/widgets.py index 81254a149e..ea8cf135aa 100644 --- a/tests/regressiontests/forms/widgets.py +++ b/tests/regressiontests/forms/widgets.py @@ -2,6 +2,7 @@ tests = r""" >>> from django.newforms import * >>> from django.newforms.widgets import RadioFieldRenderer +>>> from django.utils.safestring import mark_safe >>> import datetime >>> import time >>> import re @@ -205,6 +206,8 @@ u'' u'' >>> w.render('msg', 'some "quoted" & ampersanded value') u'' +>>> w.render('msg', mark_safe('pre "quoted" value')) +u'' >>> w.render('msg', 'value', attrs={'class': 'pretty', 'rows': 20}) u'' @@ -375,6 +378,17 @@ If 'choices' is passed to both the constructor and render(), then they'll both b +# Choices are escaped correctly +>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you > me')))) + + +# Unicode choices are correctly rendered as HTML >>> w.render('email', 'ŠĐĆŽćžšđ', choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')]) u'' @@ -538,6 +552,17 @@ If 'choices' is passed to both the constructor and render(), then they'll both b +# Choices are escaped correctly +>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you > me')))) + + +# Unicode choices are correctly rendered as HTML >>> w.render('nums', ['ŠĐĆŽćžšđ'], choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')]) u'' @@ -692,6 +717,14 @@ Traceback (most recent call last): ... IndexError: list index out of range +# Choices are escaped correctly +>>> w = RadioSelect() +>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you > me')))) + + # Unicode choices are correctly rendered as HTML >>> w = RadioSelect() >>> unicode(w.render('email', 'ŠĐĆŽćžšđ', choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')])) @@ -821,6 +854,17 @@ If 'choices' is passed to both the constructor and render(), then they'll both b
  • +# Choices are escaped correctly +>>> print w.render('escape', None, choices=(('bad', 'you & me'), ('good', mark_safe('you > me')))) + + +# Unicode choices are correctly rendered as HTML >>> w.render('nums', ['ŠĐĆŽćžšđ'], choices=[('ŠĐĆŽćžšđ', 'ŠĐabcĆŽćžšđ'), ('ćžšđ', 'abcćžšđ')]) u''