Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText.

Thanks Baptiste Mispelon for the report.
This commit is contained in:
Jon Dufresne 2014-10-15 18:03:40 -07:00 committed by Tim Graham
parent 4fe6824ffd
commit 54e695331b
3 changed files with 21 additions and 5 deletions

View File

@ -10,7 +10,7 @@ from django.utils.deprecation import RemovedInDjango20Warning
from django.utils.encoding import force_text, force_str from django.utils.encoding import force_text, force_str
from django.utils.functional import allow_lazy from django.utils.functional import allow_lazy
from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
from django.utils.safestring import SafeData, mark_safe from django.utils.safestring import SafeData, SafeText, mark_safe
from django.utils import six from django.utils import six
from django.utils.six.moves.urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit from django.utils.six.moves.urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
from django.utils.text import normalize_newlines from django.utils.text import normalize_newlines
@ -47,7 +47,7 @@ def escape(text):
""" """
return mark_safe(force_text(text).replace('&', '&amp;').replace('<', '&lt;') return mark_safe(force_text(text).replace('&', '&amp;').replace('<', '&lt;')
.replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;')) .replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;'))
escape = allow_lazy(escape, six.text_type) escape = allow_lazy(escape, six.text_type, SafeText)
_js_escapes = { _js_escapes = {
ord('\\'): '\\u005C', ord('\\'): '\\u005C',
@ -70,7 +70,7 @@ _js_escapes.update((ord('%c' % z), '\\u%04X' % z) for z in range(32))
def escapejs(value): def escapejs(value):
"""Hex encodes characters for use in JavaScript strings.""" """Hex encodes characters for use in JavaScript strings."""
return mark_safe(force_text(value).translate(_js_escapes)) return mark_safe(force_text(value).translate(_js_escapes))
escapejs = allow_lazy(escapejs, six.text_type) escapejs = allow_lazy(escapejs, six.text_type, SafeText)
def conditional_escape(text): def conditional_escape(text):

View File

@ -12,7 +12,7 @@ from django.utils.functional import allow_lazy, SimpleLazyObject
from django.utils import six from django.utils import six
from django.utils.six.moves import html_entities from django.utils.six.moves import html_entities
from django.utils.translation import ugettext_lazy, ugettext as _, pgettext from django.utils.translation import ugettext_lazy, ugettext as _, pgettext
from django.utils.safestring import mark_safe from django.utils.safestring import SafeText, mark_safe
if six.PY2: if six.PY2:
# Import force_unicode even though this module doesn't use it, because some # Import force_unicode even though this module doesn't use it, because some
@ -442,10 +442,11 @@ def slugify(value):
underscores) and converts spaces to hyphens. Also strips leading and underscores) and converts spaces to hyphens. Also strips leading and
trailing whitespace. trailing whitespace.
""" """
value = force_text(value)
value = unicodedata.normalize('NFKD', value).encode('ascii', 'ignore').decode('ascii') value = unicodedata.normalize('NFKD', value).encode('ascii', 'ignore').decode('ascii')
value = re.sub('[^\w\s-]', '', value).strip().lower() value = re.sub('[^\w\s-]', '', value).strip().lower()
return mark_safe(re.sub('[-\s]+', '-', value)) return mark_safe(re.sub('[-\s]+', '-', value))
slugify = allow_lazy(slugify, six.text_type) slugify = allow_lazy(slugify, six.text_type, SafeText)
def camel_case_to_spaces(value): def camel_case_to_spaces(value):

View File

@ -6,6 +6,8 @@ from django.utils.encoding import force_text, force_bytes
from django.utils.functional import lazy from django.utils.functional import lazy
from django.utils.safestring import mark_safe, mark_for_escaping, SafeData, EscapeData from django.utils.safestring import mark_safe, mark_for_escaping, SafeData, EscapeData
from django.utils import six from django.utils import six
from django.utils import text
from django.utils import html
lazystr = lazy(force_text, six.text_type) lazystr = lazy(force_text, six.text_type)
lazybytes = lazy(force_bytes, bytes) lazybytes = lazy(force_bytes, bytes)
@ -47,3 +49,16 @@ class SafeStringTest(TestCase):
def test_html(self): def test_html(self):
s = '<h1>interop</h1>' s = '<h1>interop</h1>'
self.assertEqual(s, mark_safe(s).__html__()) self.assertEqual(s, mark_safe(s).__html__())
def test_add_lazy_safe_text_and_safe_text(self):
s = html.escape(lazystr('a'))
s += mark_safe('&b')
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
s = html.escapejs(lazystr('a'))
s += mark_safe('&b')
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
s = text.slugify(lazystr('a'))
s += mark_safe('&b')
self.assertRenderEqual('{{ s }}', 'a&b', s=s)