Fixed #11377: the template join filter now correctly escapes the joiner, too.

Thanks, Stephen Kelly.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13464 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Jacob Kaplan-Moss 2010-08-03 15:42:39 +00:00
parent f40922609f
commit e64cdf7129
2 changed files with 9 additions and 4 deletions

View File

@ -11,9 +11,10 @@ except ImportError:
from django.template import Variable, Library from django.template import Variable, Library
from django.conf import settings from django.conf import settings
from django.utils import formats from django.utils import formats
from django.utils.translation import ugettext, ungettext
from django.utils.encoding import force_unicode, iri_to_uri from django.utils.encoding import force_unicode, iri_to_uri
from django.utils.html import conditional_escape
from django.utils.safestring import mark_safe, SafeData from django.utils.safestring import mark_safe, SafeData
from django.utils.translation import ugettext, ungettext
register = Library() register = Library()
@ -496,10 +497,9 @@ def join(value, arg, autoescape=None):
""" """
value = map(force_unicode, value) value = map(force_unicode, value)
if autoescape: if autoescape:
from django.utils.html import conditional_escape
value = [conditional_escape(v) for v in value] value = [conditional_escape(v) for v in value]
try: try:
data = arg.join(value) data = conditional_escape(arg).join(value)
except AttributeError: # fail silently but nicely except AttributeError: # fail silently but nicely
return value return value
return mark_safe(data) return mark_safe(data)

View File

@ -328,7 +328,12 @@ def get_filter_tests():
'join03': (r'{{ a|join:" & " }}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'), 'join03': (r'{{ a|join:" & " }}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
'join04': (r'{% autoescape off %}{{ a|join:" & " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'), 'join04': (r'{% autoescape off %}{{ a|join:" & " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
# Test that joining with unsafe joiners don't result in unsafe strings (#11377)
'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha & beta & me'),
'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha & beta & me'),
'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'), 'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'),
'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'), 'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'),
#Ticket 9520: Make sure |date doesn't blow up on non-dates #Ticket 9520: Make sure |date doesn't blow up on non-dates