Commit Graph

148 Commits

Author SHA1 Message Date
Shipeng Feng 68cc04887b
Fixed #32866 -- Fixed trimming trailing punctuation from escaped string in urlize(). 2021-07-07 11:19:33 +02:00
Baptiste Mispelon 824981b2dc Removed unused unencoded_ampersands_re regex.
Unused since 8b81dee60c.
2019-11-25 09:01:31 +01:00
Hasan Ramezani e3d0b4d550 Fixed #30899 -- Lazily compiled import time regular expressions. 2019-10-29 09:22:26 +01:00
Florian Apolloner 4b78420d25 Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Mariusz Felisiak f226bdbf4e Refs #30608 -- Added django.utils.encoding.punycode(). 2019-07-03 10:48:02 +02:00
Min ho Kim fbb83fefd4 Fixed typos in comments and docs. 2019-07-02 09:36:17 +02:00
Jon Dufresne 8d76443aba Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape(). 2019-04-25 15:09:07 +02:00
Tim Graham 77d25dbd0f Refs #27753 -- Favored SafeString over SafeText. 2019-02-06 14:12:06 -05:00
Tim Graham 1e3cd51163
Simplified django.utils.html.urlize(). 2018-10-12 12:15:26 -04:00
Tim Graham 910548634a Refs #29826 -- Removed unused characters from urlize configuration.
The HTML characters are unused because urlize is meant to be applied to
plain text and these characters aren't properly detected (refs #29826).
Angle brackets and quotes are present in word_split_re and therefore
won't be used in WRAPPING_PUNCTUATION.
2018-10-12 08:13:52 +02:00
Sergey Fedoseev 8ef8bc0f64 Refs #28909 -- Simplifed code using unpacking generalizations. 2018-09-28 09:57:12 -04:00
Jon Dufresne 82f286cf6f Refs #29784 -- Switched to https:// links where available. 2018-09-26 08:48:47 +02:00
Claude Paroz 201017df30 Fixed #29654 -- Made text truncation an ellipsis character instead of three dots.
Thanks Sudhanshu Mishra for the initial patch and Tim Graham for the review.
2018-08-21 17:46:45 +02:00
Tim Graham 8618271caa Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
2018-03-06 08:30:40 -05:00
Jon Dufresne 968329b5c2 Refs #27795 -- Replaced force_text() calls with str() in django.utils.html. 2018-02-09 16:47:45 -08:00
Jonas Haag 8c709d79cb Fixed #17419 -- Added json_tag template filter. 2018-02-07 18:38:12 -05:00
Jon Dufresne ff05de760c Fixed #29038 -- Removed closing slash from HTML void tags. 2018-01-21 02:09:10 -05:00
Nick Pope c68f66e014 Refs #23919 -- Replaced super() calls for old-style classes. 2017-12-07 09:10:32 -05:00
Tom abb636c1af Improved performance of utils.html.escape(). 2017-10-13 09:20:13 -04:00
Tim Graham cfff2af02b Fixed #27857 -- Dropped support for Python 3.4. 2017-09-25 17:11:03 -04:00
Claude Paroz 301de774c2 Refs #27795 -- Replaced many force_text() with str()
Thanks Tim Graham for the review.
2017-04-27 09:10:02 +02:00
Tim Graham 6ae1b04fb5 Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals. 2017-03-04 09:04:16 -05:00
Anton Samarchyan 9718fa2e8a Refs #27656 -- Updated django.utils docstring verbs according to PEP 257. 2017-02-11 16:11:08 -05:00
Claude Paroz a21ec12409 Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escape 2017-02-02 21:01:39 +01:00
Tim Graham d170c63351 Refs #23919 -- Removed misc references to Python 2. 2017-01-21 20:02:00 -05:00
Claude Paroz 042b7350a0 Refs #23919 -- Removed unneeded str() calls 2017-01-20 14:13:55 +01:00
Claude Paroz dc8834cad4 Refs #23919 -- Removed unneeded force_str calls 2017-01-20 08:44:31 +01:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz 7b2f2e74ad Refs #23919 -- Removed six.<various>_types usage
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
Claude Paroz c716fe8782 Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Ramin Farajpour Cami 967be82443 Fixed E305 flake8 warnings. 2016-11-14 12:30:46 -05:00
Jon Dufresne 4ff389dcdc Removed unused regexes from django.utils.html.
Last uses removed in commit 8b81dee60c.
2016-09-23 11:24:50 -07:00
Tim Graham 8119b679eb Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
Jon Dufresne dec334cb66 Fixed #26193 -- Made urlize() trim multiple trailing punctuation. 2016-02-15 09:10:15 -05:00
Iacopo Spalletti d693074d43 Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Tim Graham 222d063301 Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline. 2015-09-23 19:31:09 -04:00
Maxime Lorant 5153a3bfdc Fixed #25331 -- Removed trailing blank lines in docstrings. 2015-08-31 17:37:21 -04:00
Tim Graham aaacaeb096 Renamed RemovedInDjangoXYWarnings for new roadmap.
Forwardport of ae1d663b79
from stable/1.8.x plus more.
2015-06-24 16:08:20 -04:00
Tim Graham 47fcbe506c Fixed flake8 warnings on Python 3. 2015-06-15 11:27:09 -04:00
Moritz Sichert 1f2abf784a Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates. 2015-03-27 19:46:20 -04:00
Tim Graham 1c83fc88d6 Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Tim Graham 3ed9c7bdfe Fixed #24471 -- Enhanced urlize regex to exclude quotes and angle brackets. 2015-03-10 19:24:46 -04:00
Tim Graham 7b1a67cce5 Fixed escaping regression in urlize filter.
Now that the URL is always unescaped as of refs #22267,
we should re-escape it before inserting it into the anchor.
2015-03-10 18:58:34 -04:00
Claude Paroz ec808e807a Fixed urlize regression with entities in query strings
Refs #22267.
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
2015-03-06 22:20:14 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham fed25f1105 Removed compatibility with Python 3.2. 2015-01-17 09:00:17 -05:00
Aymeric Augustin 6d52f6f8e6 Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
Jon Dufresne 4468c08d70 Fixed #23968 -- Replaced list comprehension with generators and dict comprehension 2014-12-08 07:58:23 -05:00