Fixed #4131: added an "escapejs" filter for use in JavaScript strings, and updated the documentation on addslashes to point to the new ticket. Featuring contributions from Ned Batchelder, Jeremy Dunck, and Andy Durdin.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@6892 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2007-12-04 21:08:29 +00:00
parent 76b73ce725
commit b65fce6595
3 changed files with 48 additions and 2 deletions

View File

@ -43,7 +43,11 @@ def stringfilter(func):
def addslashes(value): def addslashes(value):
"""Adds slashes - useful for passing strings to JavaScript, for example.""" """
Adds slashes before quotes. Useful for escaping strings in CSV, for
example. Less useful for escaping JavaScript; use the ``escapejs``
filter instead.
"""
return value.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'") return value.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'")
addslashes.is_safe = True addslashes.is_safe = True
addslashes = stringfilter(addslashes) addslashes = stringfilter(addslashes)
@ -54,6 +58,25 @@ def capfirst(value):
capfirst.is_safe=True capfirst.is_safe=True
capfirst = stringfilter(capfirst) capfirst = stringfilter(capfirst)
_js_escapes = (
('\\', '\\\\'),
('"', '\\"'),
("'", "\\'"),
('\n', '\\n'),
('\r', '\\r'),
('\b', '\\b'),
('\f', '\\f'),
('\t', '\\t'),
('\v', '\\v'),
('</', '<\\/'),
)
def escapejs(value):
"""Backslash-escapes characters for use in JavaScript strings."""
for bad, good in _js_escapes:
value = value.replace(bad, good)
return value
escapejs = stringfilter(escapejs)
def fix_ampersands(value): def fix_ampersands(value):
"""Replaces ampersands with ``&amp;`` entities.""" """Replaces ampersands with ``&amp;`` entities."""
from django.utils.html import fix_ampersands from django.utils.html import fix_ampersands

View File

@ -1227,8 +1227,10 @@ Adds the arg to the value.
addslashes addslashes
~~~~~~~~~~ ~~~~~~~~~~
Adds slashes. Useful for passing strings to JavaScript, for example. Adds slashes before quotes. Useful for escaping strings in CSV, for example.
**New in Django development version**: for escaping data in JavaScript strings,
use the `escapejs` filter instead.
capfirst capfirst
~~~~~~~~ ~~~~~~~~
@ -1302,6 +1304,15 @@ applied to the result will only result in one round of escaping being done. So
it is safe to use this function even in auto-escaping environments. If you want it is safe to use this function even in auto-escaping environments. If you want
multiple escaping passes to be applied, use the ``force_escape`` filter. multiple escaping passes to be applied, use the ``force_escape`` filter.
escapejs
~~~~~~~~
**New in Django development version**
Escapes characters for use in JavaScript strings. This does *not* make the
string safe for use in HTML, but does protect you from syntax errors when using
templates to generate JavaScript/JSON.
filesizeformat filesizeformat
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~

View File

@ -49,6 +49,18 @@ u'\\\\ : backslashes, too'
>>> capfirst(u'hello world') >>> capfirst(u'hello world')
u'Hello world' u'Hello world'
>>> escapejs(u'"double quotes" and \'single quotes\'')
u'\\"double quotes\\" and \\\'single quotes\\\''
>>> escapejs(ur'\ : backslashes, too')
u'\\\\ : backslashes, too'
>>> escapejs(u'and lots of whitespace: \r\n\t\v\f\b')
u'and lots of whitespace: \\r\\n\\t\\v\\f\\b'
>>> escapejs(ur'<script>and this</script>')
u'<script>and this<\\/script>'
>>> fix_ampersands(u'Jack & Jill & Jeroboam') >>> fix_ampersands(u'Jack & Jill & Jeroboam')
u'Jack &amp; Jill &amp; Jeroboam' u'Jack &amp; Jill &amp; Jeroboam'