diff --git a/django/template/__init__.py b/django/template/__init__.py index 5493e5bbb7..d9668a1d4a 100644 --- a/django/template/__init__.py +++ b/django/template/__init__.py @@ -518,8 +518,6 @@ class FilterExpression(object): var_obj = None elif var is None: raise TemplateSyntaxError("Could not find variable at start of %s." % token) - elif var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_': - raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var) else: var_obj = Variable(var) else: @@ -678,6 +676,8 @@ class Variable(object): except ValueError: # Otherwise we'll set self.lookups so that resolve() knows we're # dealing with a bonafide variable + if var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_': + raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var) self.lookups = tuple(var.split(VARIABLE_ATTRIBUTE_SEPARATOR)) def resolve(self, context): diff --git a/tests/regressiontests/templates/parser.py b/tests/regressiontests/templates/parser.py index 6ad301d9c3..6b59896437 100644 --- a/tests/regressiontests/templates/parser.py +++ b/tests/regressiontests/templates/parser.py @@ -27,6 +27,13 @@ u"Some 'Bad' News" [] >>> fe.var u'Some "Good" News' + +Filtered variables should reject access of attributes beginning with underscores. + +>>> FilterExpression('article._hidden|upper', p) +Traceback (most recent call last): +... +TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden' """ variable_parsing = r""" @@ -56,4 +63,10 @@ u'Some "Good" News' >>> Variable(ur"'Some \'Better\' News'").resolve(c) u"Some 'Better' News" +Variables should reject access of attributes beginning with underscores. + +>>> Variable('article._hidden') +Traceback (most recent call last): +... +TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden' """