Fixed #11413 -- Added notes on the cycle and firstof tag detailing that variables output by those tags will not be escaped by default. Thanks to krystal for the report and draft patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11163 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2009-07-03 05:41:36 +00:00
parent f5ed3f4085
commit 6ed0345092
2 changed files with 32 additions and 9 deletions

View File

@ -564,7 +564,7 @@ do_filter = register.tag("filter", do_filter)
#@register.tag #@register.tag
def firstof(parser, token): def firstof(parser, token):
""" """
Outputs the first variable passed that is not False. Outputs the first variable passed that is not False, without escaping.
Outputs nothing if all the passed variables are False. Outputs nothing if all the passed variables are False.
@ -575,11 +575,11 @@ def firstof(parser, token):
This is equivalent to:: This is equivalent to::
{% if var1 %} {% if var1 %}
{{ var1 }} {{ var1|safe }}
{% else %}{% if var2 %} {% else %}{% if var2 %}
{{ var2 }} {{ var2|safe }}
{% else %}{% if var3 %} {% else %}{% if var3 %}
{{ var3 }} {{ var3|safe }}
{% endif %}{% endif %}{% endif %} {% endif %}{% endif %}{% endif %}
but obviously much cleaner! but obviously much cleaner!
@ -589,6 +589,12 @@ def firstof(parser, token):
{% firstof var1 var2 var3 "fallback value" %} {% firstof var1 var2 var3 "fallback value" %}
If you want to escape the output, use a filter tag::
{% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %}
{% endfilter %}
""" """
bits = token.split_contents()[1:] bits = token.split_contents()[1:]
if len(bits) < 1: if len(bits) < 1:

View File

@ -101,6 +101,14 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables. string literals, while values without quotes are treated as template variables.
Note that the variables included in the cycle will not be escaped. This is
because template tags do not escape their content. If you want to escape the
variables in the cycle, you must do so explicitly::
{% filter force_escape %}
{% cycle var1 var2 var3 %}
{% endfilter %}
For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior
old syntax from previous Django versions. You shouldn't use this in any new old syntax from previous Django versions. You shouldn't use this in any new
projects, but for the sake of the people who are still using it, here's what it projects, but for the sake of the people who are still using it, here's what it
@ -160,8 +168,9 @@ Sample usage::
firstof firstof
~~~~~~~ ~~~~~~~
Outputs the first variable passed that is not False. Outputs nothing if all the Outputs the first variable passed that is not False, without escaping.
passed variables are False.
Outputs nothing if all the passed variables are False.
Sample usage:: Sample usage::
@ -170,11 +179,11 @@ Sample usage::
This is equivalent to:: This is equivalent to::
{% if var1 %} {% if var1 %}
{{ var1 }} {{ var1|safe }}
{% else %}{% if var2 %} {% else %}{% if var2 %}
{{ var2 }} {{ var2|safe }}
{% else %}{% if var3 %} {% else %}{% if var3 %}
{{ var3 }} {{ var3|safe }}
{% endif %}{% endif %}{% endif %} {% endif %}{% endif %}{% endif %}
You can also use a literal string as a fallback value in case all You can also use a literal string as a fallback value in case all
@ -182,6 +191,14 @@ passed variables are False::
{% firstof var1 var2 var3 "fallback value" %} {% firstof var1 var2 var3 "fallback value" %}
Note that the variables included in the firstof tag will not be escaped. This
is because template tags do not escape their content. If you want to escape
the variables in the firstof tag, you must do so explicitly::
{% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %}
{% endfilter %}
.. templatetag:: for .. templatetag:: for
for for