Commit Graph

147 Commits

Author SHA1 Message Date
Baptiste Mispelon 824981b2dc Removed unused unencoded_ampersands_re regex.
Unused since 8b81dee60c.
2019-11-25 09:01:31 +01:00
Hasan Ramezani e3d0b4d550 Fixed -- Lazily compiled import time regular expressions. 2019-10-29 09:22:26 +01:00
Florian Apolloner 4b78420d25 Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Mariusz Felisiak f226bdbf4e Refs -- Added django.utils.encoding.punycode(). 2019-07-03 10:48:02 +02:00
Min ho Kim fbb83fefd4 Fixed typos in comments and docs. 2019-07-02 09:36:17 +02:00
Jon Dufresne 8d76443aba Fixed -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape(). 2019-04-25 15:09:07 +02:00
Tim Graham 77d25dbd0f Refs -- Favored SafeString over SafeText. 2019-02-06 14:12:06 -05:00
Tim Graham 1e3cd51163
Simplified django.utils.html.urlize(). 2018-10-12 12:15:26 -04:00
Tim Graham 910548634a Refs -- Removed unused characters from urlize configuration.
The HTML characters are unused because urlize is meant to be applied to
plain text and these characters aren't properly detected (refs ).
Angle brackets and quotes are present in word_split_re and therefore
won't be used in WRAPPING_PUNCTUATION.
2018-10-12 08:13:52 +02:00
Sergey Fedoseev 8ef8bc0f64 Refs -- Simplifed code using unpacking generalizations. 2018-09-28 09:57:12 -04:00
Jon Dufresne 82f286cf6f Refs -- Switched to https:// links where available. 2018-09-26 08:48:47 +02:00
Claude Paroz 201017df30 Fixed -- Made text truncation an ellipsis character instead of three dots.
Thanks Sudhanshu Mishra for the initial patch and Tim Graham for the review.
2018-08-21 17:46:45 +02:00
Tim Graham 8618271caa Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
2018-03-06 08:30:40 -05:00
Jon Dufresne 968329b5c2 Refs -- Replaced force_text() calls with str() in django.utils.html. 2018-02-09 16:47:45 -08:00
Jonas Haag 8c709d79cb Fixed -- Added json_tag template filter. 2018-02-07 18:38:12 -05:00
Jon Dufresne ff05de760c Fixed -- Removed closing slash from HTML void tags. 2018-01-21 02:09:10 -05:00
Nick Pope c68f66e014 Refs -- Replaced super() calls for old-style classes. 2017-12-07 09:10:32 -05:00
Tom abb636c1af Improved performance of utils.html.escape(). 2017-10-13 09:20:13 -04:00
Tim Graham cfff2af02b Fixed -- Dropped support for Python 3.4. 2017-09-25 17:11:03 -04:00
Claude Paroz 301de774c2 Refs -- Replaced many force_text() with str()
Thanks Tim Graham for the review.
2017-04-27 09:10:02 +02:00
Tim Graham 6ae1b04fb5 Fixed -- Made escapejs escape backticks for use in ES6 template literals. 2017-03-04 09:04:16 -05:00
Anton Samarchyan 9718fa2e8a Refs -- Updated django.utils docstring verbs according to PEP 257. 2017-02-11 16:11:08 -05:00
Claude Paroz a21ec12409 Fixed -- Kept safe status of lazy safe strings in conditional_escape 2017-02-02 21:01:39 +01:00
Tim Graham d170c63351 Refs -- Removed misc references to Python 2. 2017-01-21 20:02:00 -05:00
Claude Paroz 042b7350a0 Refs -- Removed unneeded str() calls 2017-01-20 14:13:55 +01:00
Claude Paroz dc8834cad4 Refs -- Removed unneeded force_str calls 2017-01-20 08:44:31 +01:00
Claude Paroz 2b281cc35e Refs -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz 7b2f2e74ad Refs -- Removed six.<various>_types usage
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
Claude Paroz c716fe8782 Refs -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz d7b9aaa366 Refs -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Ramin Farajpour Cami 967be82443 Fixed E305 flake8 warnings. 2016-11-14 12:30:46 -05:00
Jon Dufresne 4ff389dcdc Removed unused regexes from django.utils.html.
Last uses removed in commit 8b81dee60c.
2016-09-23 11:24:50 -07:00
Tim Graham 8119b679eb Refs -- Fixed "invalid escape sequence" warnings in Python 3.6.
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Tim Graham df8d8d4292 Fixed E128 flake8 warnings in django/. 2016-04-08 09:51:06 -04:00
Jon Dufresne dec334cb66 Fixed -- Made urlize() trim multiple trailing punctuation. 2016-02-15 09:10:15 -05:00
Iacopo Spalletti d693074d43 Fixed -- Added keep_lazy() as a replacement for allow_lazy().
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Tim Graham 222d063301 Refs -- Removed the removetags template tag and related functions per deprecation timeline. 2015-09-23 19:31:09 -04:00
Maxime Lorant 5153a3bfdc Fixed -- Removed trailing blank lines in docstrings. 2015-08-31 17:37:21 -04:00
Tim Graham aaacaeb096 Renamed RemovedInDjangoXYWarnings for new roadmap.
Forwardport of ae1d663b79
from stable/1.8.x plus more.
2015-06-24 16:08:20 -04:00
Tim Graham 47fcbe506c Fixed flake8 warnings on Python 3. 2015-06-15 11:27:09 -04:00
Moritz Sichert 1f2abf784a Fixed -- Refined escaping of Django's form elements in non-Django templates. 2015-03-27 19:46:20 -04:00
Tim Graham 1c83fc88d6 Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Tim Graham 3ed9c7bdfe Fixed -- Enhanced urlize regex to exclude quotes and angle brackets. 2015-03-10 19:24:46 -04:00
Tim Graham 7b1a67cce5 Fixed escaping regression in urlize filter.
Now that the URL is always unescaped as of refs ,
we should re-escape it before inserting it into the anchor.
2015-03-10 18:58:34 -04:00
Claude Paroz ec808e807a Fixed urlize regression with entities in query strings
Refs .
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
2015-03-06 22:20:14 +01:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs . 2015-02-06 08:16:28 -05:00
Tim Graham fed25f1105 Removed compatibility with Python 3.2. 2015-01-17 09:00:17 -05:00
Aymeric Augustin 6d52f6f8e6 Fixed -- Supported strings escaped by third-party libs in Django.
Refs  -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
Jon Dufresne 4468c08d70 Fixed -- Replaced list comprehension with generators and dict comprehension 2014-12-08 07:58:23 -05:00
Berker Peksag 560b4207b1 Removed redundant numbered parameters from str.format().
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03 14:27:38 -05:00