Commit Graph

415 Commits

Author SHA1 Message Date
Tim Graham 536cc64240 [1.6.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
2013-09-10 21:03:51 -04:00
Aymeric Augustin 115318051c [1.6.x] Replaced "not PY3" by "PY2", new in six 1.4.0.
Conflicts:
	django/db/backends/oracle/base.py
	django/db/backends/sqlite3/base.py
	django/db/models/base.py

Backport of 365c3e8b from master.
2013-09-03 07:34:45 -05:00
Tim Graham 28b1317fd8 [1.6.x] Fixed #20949 -- Typo #2 in docstring
Backport of 0073f1d94f from master
2013-08-21 10:50:27 -04:00
Tim Graham b0821e6d3a [1.6.x] Fixed docstring typo, thanks minddust.
Backport of d3ed15b79d from master
2013-08-21 09:02:19 -04:00
Tim Graham ccff25b143 [1.6.x] Fixed #17778 -- Prevented class attributes on context from resolving as template variables.
Thanks KyleMac for the report, regebro for the patch, and Aymeric for the test.

Backport of 71b5617c24 from master.
2013-08-15 10:22:56 -04:00
Baptiste Mispelon ec371ace00 Fixed #20650 -- Fixed {% filter %} incorrectly accepting 'escape' as argument
Thanks to grzesiof for the report and to loic84 and Alex Gaynor
for the review.
2013-06-25 20:28:35 +02:00
Aymeric Augustin ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Emil Stenström 7d77e9786a Fixed #20246 -- Added non-breaking spaces between values an units 2013-05-18 23:01:48 +02:00
Aymeric Augustin 9c487b5974 Replaced an antiquated pattern.
Thanks Lennart Regebro for pointing it out.
2013-05-17 18:08:58 +02:00
Claude Paroz 2bcbca3451 Updated some 'Dive Into Python' links 2013-04-01 14:04:41 +02:00
Aymeric Augustin 68905695b8 Fixed #19510 -- Race condition in template loading.
Thanks Kronuz and regebro.
2013-03-17 23:56:07 +01:00
Łukasz Langa 40b9f4fb8b [py3] Always fed hashlib with bytes. 2013-02-27 10:02:07 +01:00
Carl Meyer 87e8dfaa47 Switching to autoescape is not a change in syntax. 2013-02-25 00:43:03 -07:00
Carl Meyer 3ded2aef71 Remove leading underscore from a function that's all growed up now.
This function is now the de facto standard function for rendering values in a
template, and is imported by two other built-in template modules. It shouldn't
have a leading underscore.
2013-02-25 00:33:29 -07:00
Christopher Medrela 636c45fc58 Fixed #19890 -- ifchanged templatetag rendered its content twice
The content of ifchanged template tag was rendered twice: first time, to
compare it with the previous value and the second time, to return the
rendered output.
2013-02-24 16:49:28 +01:00
Diederik van der Boor 8503120c10 Fixed #15849 -- Made IfChanged node thread safe.
Previously, the ifchanged node stored state on `self._last_seen`,
thereby giving undesired results when the node is reused by another
thread at the same time (e.g. globally caching a Template object).

Thanks to akaihola for the report and Diederik van der Boor and
Bas Peschier for the patch.
2013-02-24 16:06:55 +01:00
Lennart Regebro 687d2e967d Fixed #19827 -- Kept stacktrace in defaulttags exception reraising
Thanks Kronuz for the report and the initial patch.
2013-02-23 17:43:17 +01:00
Aymeric Augustin 5278776a88 Merge pull request #751 from bmispelon/ticket-6271 2013-02-23 07:47:58 -08:00
Vladimir A Filonov f49e9a517f Fixed #17906 - Autoescaping {% cycle %} and {% firstof %} templatetags.
This commit adds "future" version of these two tags with auto-escaping
enabled.
2013-02-23 16:16:39 +01:00
Baptiste Mispelon 069280a689 Used token.split_contents() for tokenisation in template tags accepting variables.
Fixed #6271, #18260.
2013-02-23 15:15:30 +01:00
Claude Paroz e5a8df06be Fixed #19846 -- Optimized a dict of lists in BlockContext class
Thanks Curtis Maloney for the report and the patch.
2013-02-22 23:55:11 +01:00
Baptiste Mispelon f13bfbec70 Fixed #19882 -- Smarter tokenizing of {% for %} tag arguments. 2013-02-22 19:19:33 +01:00
Julien Phalip 7d5e35cdb4 Fixed #19829 -- Fixed index lookups for NumPy arrays in templates. 2013-02-14 23:29:15 -08:00
Michael van Tellingen 138de533ff Fixed #19819 - Improved template filter errors handling.
Wrap the Parser.compile_filter method call with a try/except and call the
newly added Parser.compile_filter_error(). Overwrite this method in the
DebugParser to throw the correct error.

Since this error was otherwise catched by the compile_function try/except
block the debugger highlighted the wrong line.
2013-02-14 10:22:59 +01:00
Ramiro Morales 826d9de00e Fixed #19729 -- Removed leftover refactoring helper variables.
Thanks chrismedrela for the report.

Refs #6262, 44b9076 and 4d94c0c.
2013-02-04 20:31:50 -03:00
Claude Paroz 7c5b244826 Fixed #17061 -- Factored out importing object from a dotted path
Thanks Carl Meyer for the report.
2013-02-04 16:38:25 +01:00
Aymeric Augustin a7b7d6320c Merge pull request #595 from bmispelon/patch-1
Fixed a typo in WidthRatioNode.
2012-12-29 13:39:52 -08:00
Aymeric Augustin 5d5e1f5afa Removed support is_safe and needs_autoescape as function attributes. 2012-12-29 21:59:07 +01:00
Tim Graham 6534a95ac3 Fixed #19470 - Clarified widthratio example.
Thanks orblivion for the suggestion.
2012-12-18 08:20:01 -05:00
Baptiste Mispelon ac8eb82abb Fixed typo in WidthRatioNode's error. 2012-12-17 10:35:36 +01:00
Aymeric Augustin 49519328b4 Fixed #19392 -- Improved error for old-style url tags with dashes.
Thanks dloewenherz for the report.
2012-12-09 16:17:56 +01:00
Danilo Bargen c10aaa70a4 Fixed #19370 -- Made date filter properly handle midnight value 2012-11-27 21:24:16 +01:00
Aymeric Augustin 7644800070 Change exception type to reduce confusion.
TemplateSyntaxError is expected at compile time, not at run time.

Refs #19280.
2012-11-25 19:51:42 +01:00
Aymeric Augustin d266919584 Fixed #19280 -- Raised an explicit exception for the old {% url %} syntax. 2012-11-24 22:10:51 +01:00
Riley Strong d179794c6b Fix typo in comment 2012-11-19 19:31:21 -06:00
Sean Breant 4d817b3887 Fixed #19262 -- Support cookie pickling in SimpleTemplateResponse
Refs #15863.
2012-11-09 21:07:53 +01:00
Claude Paroz fa2e28ccc4 Fixed #18484 -- Removed the div around the csrf token input 2012-10-13 11:30:09 +02:00
Ramiro Morales 2100da9dcd Ensure we ignore __pycache__ PEP 3174 dirs in a few more places. 2012-10-06 18:40:58 -03:00
Martey Dodoo 3fb2662edc Fixes #18933. Fixes code example in docstring.
Makes code example of silent keyword docstring in cycle templatetag
method the same as in the documentation.
2012-09-09 00:35:40 -04:00
Claude Paroz ae88e73fa6 Replaced some smart_xxx by force_xxx equivalent
smart_str/smart_text should only be used when a potential lazy
string should be preserved in the result of the function call.
2012-08-30 15:46:16 +02:00
Claude Paroz e2b4eddc11 Used the decorator syntax for properties in django.http 2012-08-22 20:55:24 +02:00
Marc Tamlyn e4984812cd Fixed bug in 212b982 -- Removed duplicate code in removetags 2012-08-18 17:09:37 +01:00
Marc Tamlyn 212b9826bd Fixed #14516 -- Extract methods from removetags and slugify template filters
Patch by @jphalip updated to apply, documentation and release notes
added.

I've documented strip_tags as well as remove_tags as the difference
between the two wouldn't be immediately obvious.
2012-08-18 15:07:21 +01:00
Claude Paroz 2d2dca2d8e [py3] Fixed slugify filter 2012-08-15 12:29:10 +02:00
Aymeric Augustin 2ae58b20ec [py3] Fixed egg template loader. 2012-08-14 12:29:53 +02:00
Claude Paroz dce34dc969 [py3] Made __repr__ return str with Python 3 2012-08-12 20:45:39 +02:00
Aymeric Augustin d4a0b27838 [py3] Refactored __unicode__ to __str__.
* Renamed the __unicode__ methods
* Applied the python_2_unicode_compatible decorator
* Removed the StrAndUnicode mix-in that is superseded by
  python_2_unicode_compatible
* Kept the __unicode__ methods in classes that specifically
  test it under Python 2
2012-08-12 14:44:40 +02:00
Aymeric Augustin 2bb2eecb63 [py3] Removed redundant __str__ methods.
These classes already have an identical __unicode__ method, which
will be used after an upcoming refactoring.
2012-08-12 14:44:40 +02:00
Karen Tracey 759ae3c2da Fixed #18739 -- witdthratio behavior on None args
Made behavior given None consistent with how non-numerics were handled.
Thanks to ja.geb@me.com for the report.
2012-08-11 19:24:18 -04:00
Alex Gaynor 4c97101b1f remove a bunch of unnescesarry iterkeys() calls 2012-08-08 07:33:15 -07:00