p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django templates.

This commit is contained in:
Moritz Sichert 2015-03-10 21:21:28 +01:00 committed by Tim Graham
parent 465edf2bb2
commit 6bff343989
5 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
django/forms/forms.py
View File

@ -122,6 +122,9 @@ class BaseForm(object):
fields.update(self.fields) # add remaining fields in original order fields.update(self.fields) # add remaining fields in original order
self.fields = fields self.fields = fields
def __html__(self):
return force_text(self)
def __str__(self): def __str__(self):
return self.as_table() return self.as_table()
@ -518,6 +521,9 @@ class BoundField(object):
self.help_text = field.help_text or '' self.help_text = field.help_text or ''
self._initial_value = UNSET self._initial_value = UNSET
def __html__(self):
return force_text(self)
def __str__(self): def __str__(self):
"""Renders this field as an HTML widget.""" """Renders this field as an HTML widget."""
if self.field.show_hidden_initial: if self.field.show_hidden_initial:

3
django/forms/widgets.py
View File

@ -51,6 +51,9 @@ class Media(object):
for name in MEDIA_TYPES: for name in MEDIA_TYPES:
getattr(self, 'add_' + name)(media_attrs.get(name, None)) getattr(self, 'add_' + name)(media_attrs.get(name, None))
def __html__(self):
return force_text(self)
def __str__(self): def __str__(self):
return self.render() return self.render()

5
tests/template_backends/jinja2/template_backends/django_escaping.html Normal file
View File

@ -0,0 +1,5 @@
{{ media }}
{{ test_form }}
{{ test_form.test_field }}

5
tests/template_backends/templates/template_backends/django_escaping.html Normal file
View File

@ -0,0 +1,5 @@
{{ media }}
{{ test_form }}
{{ test_form.test_field }}

19
tests/template_backends/test_dummy.py
View File

@ -2,6 +2,7 @@
from __future__ import unicode_literals from __future__ import unicode_literals
from django.forms import CharField, Form, Media
from django.http import HttpRequest from django.http import HttpRequest
from django.middleware.csrf import CsrfViewMiddleware, get_token from django.middleware.csrf import CsrfViewMiddleware, get_token
from django.template import TemplateDoesNotExist, TemplateSyntaxError from django.template import TemplateDoesNotExist, TemplateSyntaxError
@ -43,7 +44,7 @@ class TemplateStringsTests(SimpleTestCase):
# There's no way to trigger a syntax error with the dummy backend. # There's no way to trigger a syntax error with the dummy backend.
# The test still lives here to factor it between other backends. # The test still lives here to factor it between other backends.
if self.backend_name == 'dummy': if self.backend_name == 'dummy':
return self.skipTest("test doesn't apply to dummy backend")
with self.assertRaises(TemplateSyntaxError): with self.assertRaises(TemplateSyntaxError):
self.engine.get_template('template_backends/syntax_error.html') self.engine.get_template('template_backends/syntax_error.html')
@ -55,6 +56,22 @@ class TemplateStringsTests(SimpleTestCase):
self.assertIn('<script>', content) self.assertIn('<script>', content)
self.assertNotIn('<script>', content) self.assertNotIn('<script>', content)
def test_django_html_escaping(self):
if self.backend_name == 'dummy':
self.skipTest("test doesn't apply to dummy backend")
class TestForm(Form):
test_field = CharField()
media = Media(js=['my-script.js'])
form = TestForm()
template = self.engine.get_template('template_backends/django_escaping.html')
content = template.render({'media': media, 'test_form': form})
expected = '{}\n\n{}\n\n{}'.format(media, form, form['test_field'])
self.assertHTMLEqual(content, expected)
def test_csrf_token(self): def test_csrf_token(self):
request = HttpRequest() request = HttpRequest()
CsrfViewMiddleware().process_view(request, lambda r: None, (), {}) CsrfViewMiddleware().process_view(request, lambda r: None, (), {})