Florian Apolloner
4b78420d25
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
...
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Mariusz Felisiak
f226bdbf4e
Refs #30608 -- Added django.utils.encoding.punycode().
2019-07-03 10:48:02 +02:00
Min ho Kim
fbb83fefd4
Fixed typos in comments and docs.
2019-07-02 09:36:17 +02:00
Jon Dufresne
8d76443aba
Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape().
2019-04-25 15:09:07 +02:00
Tim Graham
77d25dbd0f
Refs #27753 -- Favored SafeString over SafeText.
2019-02-06 14:12:06 -05:00
Tim Graham
1e3cd51163
Simplified django.utils.html.urlize().
2018-10-12 12:15:26 -04:00
Tim Graham
910548634a
Refs #29826 -- Removed unused characters from urlize configuration.
...
The HTML characters are unused because urlize is meant to be applied to
plain text and these characters aren't properly detected (refs #29826 ).
Angle brackets and quotes are present in word_split_re and therefore
won't be used in WRAPPING_PUNCTUATION.
2018-10-12 08:13:52 +02:00
Sergey Fedoseev
8ef8bc0f64
Refs #28909 -- Simplifed code using unpacking generalizations.
2018-09-28 09:57:12 -04:00
Jon Dufresne
82f286cf6f
Refs #29784 -- Switched to https:// links where available.
2018-09-26 08:48:47 +02:00
Claude Paroz
201017df30
Fixed #29654 -- Made text truncation an ellipsis character instead of three dots.
...
Thanks Sudhanshu Mishra for the initial patch and Tim Graham for the review.
2018-08-21 17:46:45 +02:00
Tim Graham
8618271caa
Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
...
Thanks Florian Apolloner for assisting with the patch.
2018-03-06 08:30:40 -05:00
Jon Dufresne
968329b5c2
Refs #27795 -- Replaced force_text() calls with str() in django.utils.html.
2018-02-09 16:47:45 -08:00
Jonas Haag
8c709d79cb
Fixed #17419 -- Added json_tag template filter.
2018-02-07 18:38:12 -05:00
Jon Dufresne
ff05de760c
Fixed #29038 -- Removed closing slash from HTML void tags.
2018-01-21 02:09:10 -05:00
Nick Pope
c68f66e014
Refs #23919 -- Replaced super() calls for old-style classes.
2017-12-07 09:10:32 -05:00
Tom
abb636c1af
Improved performance of utils.html.escape().
2017-10-13 09:20:13 -04:00
Tim Graham
cfff2af02b
Fixed #27857 -- Dropped support for Python 3.4.
2017-09-25 17:11:03 -04:00
Claude Paroz
301de774c2
Refs #27795 -- Replaced many force_text() with str()
...
Thanks Tim Graham for the review.
2017-04-27 09:10:02 +02:00
Tim Graham
6ae1b04fb5
Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals.
2017-03-04 09:04:16 -05:00
Anton Samarchyan
9718fa2e8a
Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.
2017-02-11 16:11:08 -05:00
Claude Paroz
a21ec12409
Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escape
2017-02-02 21:01:39 +01:00
Tim Graham
d170c63351
Refs #23919 -- Removed misc references to Python 2.
2017-01-21 20:02:00 -05:00
Claude Paroz
042b7350a0
Refs #23919 -- Removed unneeded str() calls
2017-01-20 14:13:55 +01:00
Claude Paroz
dc8834cad4
Refs #23919 -- Removed unneeded force_str calls
2017-01-20 08:44:31 +01:00
Claude Paroz
2b281cc35e
Refs #23919 -- Removed most of remaining six usage
...
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz
7b2f2e74ad
Refs #23919 -- Removed six.<various>_types usage
...
Thanks Tim Graham and Simon Charette for the reviews.
2017-01-18 20:18:46 +01:00
Claude Paroz
c716fe8782
Refs #23919 -- Removed six.PY2/PY3 usage
...
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
Ramin Farajpour Cami
967be82443
Fixed E305 flake8 warnings.
2016-11-14 12:30:46 -05:00
Jon Dufresne
4ff389dcdc
Removed unused regexes from django.utils.html.
...
Last uses removed in commit 8b81dee60c
.
2016-09-23 11:24:50 -07:00
Tim Graham
8119b679eb
Refs #27025 -- Fixed "invalid escape sequence" warnings in Python 3.6.
...
http://bugs.python.org/issue27364
2016-09-17 15:44:06 -04:00
Tim Graham
df8d8d4292
Fixed E128 flake8 warnings in django/.
2016-04-08 09:51:06 -04:00
Jon Dufresne
dec334cb66
Fixed #26193 -- Made urlize() trim multiple trailing punctuation.
2016-02-15 09:10:15 -05:00
Iacopo Spalletti
d693074d43
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
...
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Tim Graham
222d063301
Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.
2015-09-23 19:31:09 -04:00
Maxime Lorant
5153a3bfdc
Fixed #25331 -- Removed trailing blank lines in docstrings.
2015-08-31 17:37:21 -04:00
Tim Graham
aaacaeb096
Renamed RemovedInDjangoXYWarnings for new roadmap.
...
Forwardport of ae1d663b79
from stable/1.8.x plus more.
2015-06-24 16:08:20 -04:00
Tim Graham
47fcbe506c
Fixed flake8 warnings on Python 3.
2015-06-15 11:27:09 -04:00
Moritz Sichert
1f2abf784a
Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates.
2015-03-27 19:46:20 -04:00
Tim Graham
1c83fc88d6
Fixed an infinite loop possibility in strip_tags().
...
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Tim Graham
3ed9c7bdfe
Fixed #24471 -- Enhanced urlize regex to exclude quotes and angle brackets.
2015-03-10 19:24:46 -04:00
Tim Graham
7b1a67cce5
Fixed escaping regression in urlize filter.
...
Now that the URL is always unescaped as of refs #22267 ,
we should re-escape it before inserting it into the anchor.
2015-03-10 18:58:34 -04:00
Claude Paroz
ec808e807a
Fixed urlize regression with entities in query strings
...
Refs #22267 .
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
2015-03-06 22:20:14 +01:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Tim Graham
fed25f1105
Removed compatibility with Python 3.2.
2015-01-17 09:00:17 -05:00
Aymeric Augustin
6d52f6f8e6
Fixed #23831 -- Supported strings escaped by third-party libs in Django.
...
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
2014-12-27 18:02:34 +01:00
Jon Dufresne
4468c08d70
Fixed #23968 -- Replaced list comprehension with generators and dict comprehension
2014-12-08 07:58:23 -05:00
Berker Peksag
560b4207b1
Removed redundant numbered parameters from str.format().
...
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03 14:27:38 -05:00
Markus Holtermann
ed2f96819c
Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URL
...
Thanks to 57even for the report.
2014-10-31 08:06:40 -04:00
Jon Dufresne
54e695331b
Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText.
...
Thanks Baptiste Mispelon for the report.
2014-10-20 17:08:29 -04:00