From 571e093a258b00b25c24481af7acf0d0a034ec8c Mon Sep 17 00:00:00 2001 From: Moritz Sichert Date: Tue, 10 Mar 2015 21:21:28 +0100 Subject: [PATCH] [1.8.x] Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django templates. Backport of 6bff3439894ac22d80f270f36513fc86586273f3 from master --- django/forms/forms.py | 6 ++++++ django/forms/widgets.py | 3 +++ .../template_backends/django_escaping.html | 5 +++++ .../template_backends/django_escaping.html | 5 +++++ tests/template_backends/test_dummy.py | 19 ++++++++++++++++++- 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 tests/template_backends/jinja2/template_backends/django_escaping.html create mode 100644 tests/template_backends/templates/template_backends/django_escaping.html diff --git a/django/forms/forms.py b/django/forms/forms.py index 16fc5b00f2..869cc83283 100644 --- a/django/forms/forms.py +++ b/django/forms/forms.py @@ -138,6 +138,9 @@ class BaseForm(object): self.fields = copy.deepcopy(self.base_fields) self._bound_fields_cache = {} + def __html__(self): + return force_text(self) + def __str__(self): return self.as_table() @@ -534,6 +537,9 @@ class BoundField(object): self.help_text = field.help_text or '' self._initial_value = UNSET + def __html__(self): + return force_text(self) + def __str__(self): """Renders this field as an HTML widget.""" if self.field.show_hidden_initial: diff --git a/django/forms/widgets.py b/django/forms/widgets.py index 0ed7613d0f..811852bb0b 100644 --- a/django/forms/widgets.py +++ b/django/forms/widgets.py @@ -44,6 +44,9 @@ class Media(object): for name in MEDIA_TYPES: getattr(self, 'add_' + name)(media_attrs.get(name, None)) + def __html__(self): + return force_text(self) + def __str__(self): return self.render() diff --git a/tests/template_backends/jinja2/template_backends/django_escaping.html b/tests/template_backends/jinja2/template_backends/django_escaping.html new file mode 100644 index 0000000000..a5ce51b109 --- /dev/null +++ b/tests/template_backends/jinja2/template_backends/django_escaping.html @@ -0,0 +1,5 @@ +{{ media }} + +{{ test_formĀ }} + +{{ test_form.test_field }} diff --git a/tests/template_backends/templates/template_backends/django_escaping.html b/tests/template_backends/templates/template_backends/django_escaping.html new file mode 100644 index 0000000000..a5ce51b109 --- /dev/null +++ b/tests/template_backends/templates/template_backends/django_escaping.html @@ -0,0 +1,5 @@ +{{ media }} + +{{ test_formĀ }} + +{{ test_form.test_field }} diff --git a/tests/template_backends/test_dummy.py b/tests/template_backends/test_dummy.py index 5f9a8dccb3..b529b70756 100644 --- a/tests/template_backends/test_dummy.py +++ b/tests/template_backends/test_dummy.py @@ -2,6 +2,7 @@ from __future__ import unicode_literals +from django.forms import CharField, Form, Media from django.http import HttpRequest from django.middleware.csrf import CsrfViewMiddleware, get_token from django.template import TemplateDoesNotExist, TemplateSyntaxError @@ -43,7 +44,7 @@ class TemplateStringsTests(SimpleTestCase): # There's no way to trigger a syntax error with the dummy backend. # The test still lives here to factor it between other backends. if self.backend_name == 'dummy': - return + self.skipTest("test doesn't apply to dummy backend") with self.assertRaises(TemplateSyntaxError): self.engine.get_template('template_backends/syntax_error.html') @@ -55,6 +56,22 @@ class TemplateStringsTests(SimpleTestCase): self.assertIn('<script>', content) self.assertNotIn('