8618271caa
Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
...
Thanks Florian Apolloner for assisting with the patch.
2018-03-06 08:30:40 -05:00
968329b5c2
Refs #27795 -- Replaced force_text() calls with str() in django.utils.html.
2018-02-09 16:47:45 -08:00
8c709d79cb
Fixed #17419 -- Added json_tag template filter.
2018-02-07 18:38:12 -05:00
ff05de760c
Fixed #29038 -- Removed closing slash from HTML void tags.
2018-01-21 02:09:10 -05:00
c68f66e014
Refs #23919 -- Replaced super() calls for old-style classes.
2017-12-07 09:10:32 -05:00
abb636c1af
Improved performance of utils.html.escape().
2017-10-13 09:20:13 -04:00
cfff2af02b
Fixed #27857 -- Dropped support for Python 3.4.
2017-09-25 17:11:03 -04:00
301de774c2
Refs #27795 -- Replaced many force_text() with str()
...
Thanks Tim Graham for the review.
2017-04-27 09:10:02 +02:00
6ae1b04fb5
Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals.
2017-03-04 09:04:16 -05:00
9718fa2e8a
Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.
2017-02-11 16:11:08 -05:00
a21ec12409
Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escape
2017-02-02 21:01:39 +01:00
d170c63351
Refs #23919 -- Removed misc references to Python 2.
2017-01-21 20:02:00 -05:00
042b7350a0
Refs #23919 -- Removed unneeded str() calls
2017-01-20 14:13:55 +01:00
dc8834cad4
Refs #23919 -- Removed unneeded force_str calls
2017-01-20 08:44:31 +01:00
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
7b2f2e74ad
Refs #23919 -- Removed six.<various>_types usage
...
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
c716fe8782
Refs #23919 -- Removed six.PY2/PY3 usage
...
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
967be82443
Fixed E305 flake8 warnings.
2016-11-14 12:30:46 -05:00
4ff389dcdc
Removed unused regexes from django.utils.html.
...
Last uses removed in commit 8b81dee60c
2016-09-23 11:24:50 -07:00
8119b679eb
Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
...
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
df8d8d4292
Fixed E128 flake8 warnings in django/.
2016-04-08 09:51:06 -04:00
dec334cb66
Fixed #26193 -- Made urlize() trim multiple trailing punctuation.
2016-02-15 09:10:15 -05:00
d693074d43
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
...
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
222d063301
Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.
2015-09-23 19:31:09 -04:00
5153a3bfdc
Fixed #25331 -- Removed trailing blank lines in docstrings.
2015-08-31 17:37:21 -04:00
aaacaeb096
Renamed RemovedInDjangoXYWarnings for new roadmap.
...
Forwardport of ae1d663b79
2015-06-24 16:08:20 -04:00
47fcbe506c
Fixed flake8 warnings on Python 3.
2015-06-15 11:27:09 -04:00
1f2abf784a
Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates.
2015-03-27 19:46:20 -04:00
1c83fc88d6
Fixed an infinite loop possibility in strip_tags().
...
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
3ed9c7bdfe
Fixed #24471 -- Enhanced urlize regex to exclude quotes and angle brackets.
2015-03-10 19:24:46 -04:00
7b1a67cce5
Fixed escaping regression in urlize filter.
...
Now that the URL is always unescaped as of refs #22267 ,
we should re-escape it before inserting it into the anchor.
2015-03-10 18:58:34 -04:00
ec808e807a
Fixed urlize regression with entities in query strings
...
Refs #22267 .
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
2015-03-06 22:20:14 +01:00
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
fed25f1105
Removed compatibility with Python 3.2.
2015-01-17 09:00:17 -05:00
6d52f6f8e6
Fixed #23831 -- Supported strings escaped by third-party libs in Django.
...
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
4468c08d70
Fixed #23968 -- Replaced list comprehension with generators and dict comprehension
2014-12-08 07:58:23 -05:00
560b4207b1
Removed redundant numbered parameters from str.format().
...
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03 14:27:38 -05:00
ed2f96819c
Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URL
...
Thanks to 57even for the report.
2014-10-31 08:06:40 -04:00
54e695331b
Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText.
...
Thanks Baptiste Mispelon for the report.
2014-10-20 17:08:29 -04:00
a4c23f70de
Fixed flake8 warnings.
2014-09-09 20:57:26 -04:00
b9d9287f59
Fixed urlize after smart_urlquote rewrite
...
Refs #22267 .
2014-09-09 21:59:35 +02:00
4b8a1d2c0d
Fixed #22267 -- Fixed unquote/quote in smart_urlquote
...
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
2014-09-09 21:58:07 +02:00
1101467ce0
Limited lines to 119 characters in django/
...
refs #23395 .
2014-09-05 09:22:16 -04:00
e122facbd8
Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.
...
Also the unused, undocumented django.utils.html.strip_entities() function.
2014-08-15 08:20:02 -04:00
e167e96cfe
Fixed #22223 -- Prevented over-escaping URLs in reverse()
...
And follow more closely the class of characters defined in the
RFC 3986.
Thanks Erik van Zijst for the report and the initial patch, and
Tim Graham for the review.
2014-07-09 09:54:34 +02:00
1bb1d3168b
Updated urlize regex following a93ee5112d
...
Prevent urlize from turning some.organization, an.intern etc.
into urls. Refs #22941 .
2014-07-04 09:00:16 +02:00
a93ee5112d
Fixed #22941 - Added support for domain-only links with chars after the TLD to urlize.
...
It now works with something like google.com/foo/bar
2014-07-02 20:36:53 -04:00
c28beb4291
Refactored and commented strip_tags utility
2014-04-03 21:24:29 +02:00
778ce245dd
Corrected many style guide violations that the newest version of flake8 catches
2014-03-30 12:11:05 -07:00
Tim Graham
Jon Dufresne
Jonas Haag
Nick Pope
Tom
Claude Paroz
Anton Samarchyan
Ramin Farajpour Cami
Iacopo Spalletti
Maxime Lorant
Moritz Sichert
Aymeric Augustin
Berker Peksag
Markus Holtermann
LarryBrid
LarryBrid
Tomasz Wysocki
Alex Gaynor