mirror of https://github.com/django/django.git
Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django templates.
This commit is contained in:
parent
465edf2bb2
commit
6bff343989
|
@ -122,6 +122,9 @@ class BaseForm(object):
|
||||||
fields.update(self.fields) # add remaining fields in original order
|
fields.update(self.fields) # add remaining fields in original order
|
||||||
self.fields = fields
|
self.fields = fields
|
||||||
|
|
||||||
|
def __html__(self):
|
||||||
|
return force_text(self)
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
return self.as_table()
|
return self.as_table()
|
||||||
|
|
||||||
|
@ -518,6 +521,9 @@ class BoundField(object):
|
||||||
self.help_text = field.help_text or ''
|
self.help_text = field.help_text or ''
|
||||||
self._initial_value = UNSET
|
self._initial_value = UNSET
|
||||||
|
|
||||||
|
def __html__(self):
|
||||||
|
return force_text(self)
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
"""Renders this field as an HTML widget."""
|
"""Renders this field as an HTML widget."""
|
||||||
if self.field.show_hidden_initial:
|
if self.field.show_hidden_initial:
|
||||||
|
|
|
@ -51,6 +51,9 @@ class Media(object):
|
||||||
for name in MEDIA_TYPES:
|
for name in MEDIA_TYPES:
|
||||||
getattr(self, 'add_' + name)(media_attrs.get(name, None))
|
getattr(self, 'add_' + name)(media_attrs.get(name, None))
|
||||||
|
|
||||||
|
def __html__(self):
|
||||||
|
return force_text(self)
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
return self.render()
|
return self.render()
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
{{ media }}
|
||||||
|
|
||||||
|
{{ test_form }}
|
||||||
|
|
||||||
|
{{ test_form.test_field }}
|
|
@ -0,0 +1,5 @@
|
||||||
|
{{ media }}
|
||||||
|
|
||||||
|
{{ test_form }}
|
||||||
|
|
||||||
|
{{ test_form.test_field }}
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
from __future__ import unicode_literals
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
|
from django.forms import CharField, Form, Media
|
||||||
from django.http import HttpRequest
|
from django.http import HttpRequest
|
||||||
from django.middleware.csrf import CsrfViewMiddleware, get_token
|
from django.middleware.csrf import CsrfViewMiddleware, get_token
|
||||||
from django.template import TemplateDoesNotExist, TemplateSyntaxError
|
from django.template import TemplateDoesNotExist, TemplateSyntaxError
|
||||||
|
@ -43,7 +44,7 @@ class TemplateStringsTests(SimpleTestCase):
|
||||||
# There's no way to trigger a syntax error with the dummy backend.
|
# There's no way to trigger a syntax error with the dummy backend.
|
||||||
# The test still lives here to factor it between other backends.
|
# The test still lives here to factor it between other backends.
|
||||||
if self.backend_name == 'dummy':
|
if self.backend_name == 'dummy':
|
||||||
return
|
self.skipTest("test doesn't apply to dummy backend")
|
||||||
with self.assertRaises(TemplateSyntaxError):
|
with self.assertRaises(TemplateSyntaxError):
|
||||||
self.engine.get_template('template_backends/syntax_error.html')
|
self.engine.get_template('template_backends/syntax_error.html')
|
||||||
|
|
||||||
|
@ -55,6 +56,22 @@ class TemplateStringsTests(SimpleTestCase):
|
||||||
self.assertIn('<script>', content)
|
self.assertIn('<script>', content)
|
||||||
self.assertNotIn('<script>', content)
|
self.assertNotIn('<script>', content)
|
||||||
|
|
||||||
|
def test_django_html_escaping(self):
|
||||||
|
if self.backend_name == 'dummy':
|
||||||
|
self.skipTest("test doesn't apply to dummy backend")
|
||||||
|
|
||||||
|
class TestForm(Form):
|
||||||
|
test_field = CharField()
|
||||||
|
|
||||||
|
media = Media(js=['my-script.js'])
|
||||||
|
form = TestForm()
|
||||||
|
template = self.engine.get_template('template_backends/django_escaping.html')
|
||||||
|
content = template.render({'media': media, 'test_form': form})
|
||||||
|
|
||||||
|
expected = '{}\n\n{}\n\n{}'.format(media, form, form['test_field'])
|
||||||
|
|
||||||
|
self.assertHTMLEqual(content, expected)
|
||||||
|
|
||||||
def test_csrf_token(self):
|
def test_csrf_token(self):
|
||||||
request = HttpRequest()
|
request = HttpRequest()
|
||||||
CsrfViewMiddleware().process_view(request, lambda r: None, (), {})
|
CsrfViewMiddleware().process_view(request, lambda r: None, (), {})
|
||||||
|
|
Loading…
Reference in New Issue