Due to the URL encoding applied by the tag for all parameters that might be
partly controllable by an end-user, there are no XSS/security problems
caused by this bug, only invalid HTML.
* Converted the ``libraries`` and ``builtins`` globals of
``django.template.base`` into properties of the Engine class.
* Added a public API for explicit registration of libraries and builtins.
With the introduction of multiple template engines these exceptions are no
longer DTL-specific. It makes more sense for them to be moved out of
DTL-related modules.
This change:
* Makes the InclusionNode cache-safe by removing render-time side effects
to its nodelist.
* Ensures the render_context stack is properly scoped and reset by updating
the render call to use Template.render rather than Nodelist.render.
Rendering a Jinja template with self in the context threw an error.
While self is a reserved variable in Jinja, including self in the
context is not an error, so Django should respect that.
This patch does three major things:
* Merges the django.template.debug implementation into django.template.base.
* Simplifies the debug implementation.
The old implementation copied debug information to every token and node.
The django_template_source attribute was set in multiple places, some
quite hacky, like django.template.defaulttags.ForNode.
Debug information is now annotated in two high-level places:
* Template.compile_nodelist for errors during parsing
* Node.render_annotated for errors during rendering
These were chosen because they have access to the template and context
as well as to all exceptions that happen during either the parse or
render phase.
* Moves the contextual line traceback information creation from
django.views.debug into django.template.base.Template. The debug views now
only deal with the presentation of the debug information.
This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.
Thanks Markus Holtermann for help with tests and docs.
Explicitly checking for django.template.Template subclasses is
preferrable to duck-typing because both the django.template.Template and
django.template.backends.django.Template have a render() method.
Thanks spectras for the report.
This significantly improves performance on PyPy. The previous
implementation would generate a new class on every single request,
which is relatively slow.