From 0349d83289f0d88069eccfead78b71da8e158d41 Mon Sep 17 00:00:00 2001
From: Malcolm Tredinnick <malcolm.tredinnick@gmail.com>
Date: Sat, 15 Nov 2008 01:16:20 +0000
Subject: [PATCH] Fixed #6948 -- The join filter was escaping the literal value
 that was passed in for the connector. This was contrary to what the
 documentation for autoescaping said and to what every other filter does with
 literal strings as arguments.

This is backwards incompatible for the situation of the literal string
containing one of the five special HTML characters: if you were writing
{{ foo|join:"&" }}, you now have to write {{ foo| join:"&amp;" }}.
Previous behaviour was, as noted, a bug and contrary to what was
documented and expected.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@9442 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/template/defaultfilters.py          | 35 +++++++++++-----------
 tests/regressiontests/templates/filters.py |  7 ++++-
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index 9734124c885..15434c7477c 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -99,10 +99,10 @@ fix_ampersands = stringfilter(fix_ampersands)
 
 # Values for testing floatformat input against infinity and NaN representations,
 # which differ across platforms and Python versions.  Some (i.e. old Windows
-# ones) are not recognized by Decimal but we want to return them unchanged vs. 
+# ones) are not recognized by Decimal but we want to return them unchanged vs.
 # returning an empty string as we do for completley invalid input.  Note these
-# need to be built up from values that are not inf/nan, since inf/nan values do 
-# not reload properly from .pyc files on Windows prior to some level of Python 2.5 
+# need to be built up from values that are not inf/nan, since inf/nan values do
+# not reload properly from .pyc files on Windows prior to some level of Python 2.5
 # (see Python Issue757815 and Issue1080440).
 pos_inf = 1e200 * 1e200
 neg_inf = -1e200 * 1e200
@@ -136,11 +136,11 @@ def floatformat(text, arg=-1):
     * {{ num1|floatformat:"-3" }} displays "34.232"
     * {{ num2|floatformat:"-3" }} displays "34"
     * {{ num3|floatformat:"-3" }} displays "34.260"
-    
+
     If the input float is infinity or NaN, the (platform-dependent) string
     representation of that value will be displayed.
     """
-        
+
     try:
         input_val = force_unicode(text)
         d = Decimal(input_val)
@@ -155,15 +155,15 @@ def floatformat(text, arg=-1):
         p = int(arg)
     except ValueError:
         return input_val
-    
+
     try:
         m = int(d) - d
     except (OverflowError, InvalidOperation):
         return input_val
-    
+
     if not m and p < 0:
         return mark_safe(u'%d' % (int(d)))
-    
+
     if p == 0:
         exp = Decimal(1)
     else:
@@ -481,19 +481,20 @@ def first(value):
         return u''
 first.is_safe = False
 
-def join(value, arg):
-    """Joins a list with a string, like Python's ``str.join(list)``."""
+def join(value, arg, autoescape=None):
+    """
+    Joins a list with a string, like Python's ``str.join(list)``.
+    """
+    if autoescape:
+        from django.utils.html import conditional_escape
+        value = [conditional_escape(v) for v in value]
     try:
-        data = arg.join(map(force_unicode, value))
+        data = arg.join(value)
     except AttributeError: # fail silently but nicely
         return value
-    safe_args = reduce(lambda lhs, rhs: lhs and isinstance(rhs, SafeData),
-            value, True)
-    if safe_args:
-        return mark_safe(data)
-    else:
-        return data
+    return mark_safe(data)
 join.is_safe = True
+join.needs_autoescape = True
 
 def last(value):
     "Returns the last item in a list"
diff --git a/tests/regressiontests/templates/filters.py b/tests/regressiontests/templates/filters.py
index d69a885822a..5bc6430834b 100644
--- a/tests/regressiontests/templates/filters.py
+++ b/tests/regressiontests/templates/filters.py
@@ -277,9 +277,14 @@ def get_filter_tests():
 
         'escapejs01': (r'{{ a|escapejs }}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
         'escapejs02': (r'{% autoescape off %}{{ a|escapejs }}{% endautoescape %}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
-        
+
         # Boolean return value from length_is should not be coerced to a string
         'lengthis01': (r'{% if "X"|length_is:0 %}Length is 0{% else %}Length not 0{% endif %}', {}, 'Length not 0'),
         'lengthis02': (r'{% if "X"|length_is:1 %}Length is 1{% else %}Length not 1{% endif %}', {}, 'Length is 1'),
+
+        'join01': (r'{{ a|join:", " }}', {'a': ['alpha', 'beta & me']}, 'alpha, beta &amp; me'),
+        'join02': (r'{% autoescape off %}{{ a|join:", " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha, beta & me'),
+        'join03': (r'{{ a|join:" &amp; " }}', {'a': ['alpha', 'beta & me']}, 'alpha &amp; beta &amp; me'),
+        'join04': (r'{% autoescape off %}{{ a|join:" &amp; " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha &amp; beta & me'),
     }