diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py index e62e2e3eaf..ca03ff87e3 100644 --- a/django/template/defaultfilters.py +++ b/django/template/defaultfilters.py @@ -25,8 +25,8 @@ def stringfilter(func): if args: args = list(args) args[0] = force_unicode(args[0]) - if isinstance(args[0], SafeData) and getattr(func, 'is_safe', False): - return mark_safe(func(*args, **kwargs)) + if isinstance(args[0], SafeData) and getattr(func, 'is_safe', False): + return mark_safe(func(*args, **kwargs)) return func(*args, **kwargs) # Include a reference to the real function (used to check original diff --git a/tests/regressiontests/templates/filters.py b/tests/regressiontests/templates/filters.py index 2a06703948..4175bdbe5f 100644 --- a/tests/regressiontests/templates/filters.py +++ b/tests/regressiontests/templates/filters.py @@ -12,6 +12,15 @@ from datetime import datetime, timedelta from django.utils.tzinfo import LocalTimezone from django.utils.safestring import mark_safe +# These two classes are used to test auto-escaping of __unicode__ output. +class UnsafeClass: + def __unicode__(self): + return u'you & me' + +class SafeClass: + def __unicode__(self): + return mark_safe(u'you > me') + # RESULT SYNTAX -- # 'template_name': ('template contents', 'context dict', # 'expected string output' or Exception class) @@ -227,4 +236,11 @@ def get_filter_tests(): 'chaining12': ('{% autoescape off %}{{ a|cut:"b"|safe }}{% endautoescape %}', {"a": "a < b"}, "a < "), 'chaining13': ('{{ a|safe|force_escape }}', {"a": "a < b"}, "a < b"), 'chaining14': ('{% autoescape off %}{{ a|safe|force_escape }}{% endautoescape %}', {"a": "a < b"}, "a < b"), + + # Filters decorated with stringfilter still respect is_safe. + 'autoescape-stringfilter01': (r'{{ unsafe|capfirst }}', {'unsafe': UnsafeClass()}, 'You & me'), + 'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'), + 'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You > me'), + 'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You > me'), } + diff --git a/tests/regressiontests/templates/tests.py b/tests/regressiontests/templates/tests.py index f3c131dd91..cbbd88b06c 100644 --- a/tests/regressiontests/templates/tests.py +++ b/tests/regressiontests/templates/tests.py @@ -899,7 +899,12 @@ class Templates(unittest.TestCase): # Literal string arguments to filters, if used in the result, are # safe. - 'basic-syntax08': (r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}', {"var": None}, ' endquote" hah'), + 'autoescape-tag08': (r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}', {"var": None}, ' endquote" hah'), + + # Objects which return safe strings as their __unicode__ method + # won't get double-escaped. + 'autoescape-tag09': (r'{{ unsafe }}', {'unsafe': filters.UnsafeClass()}, 'you & me'), + 'autoescape-tag10': (r'{{ safe }}', {'safe': filters.SafeClass()}, 'you > me'), # The "safe" and "escape" filters cannot work due to internal # implementation details (fortunately, the (no)autoescape block