mirror of https://github.com/django/django.git
Fixed #7177 -- Added extra robustness to the escapejs filter so that all
invalid characters are correctly escaped. This avoids any chance to inject raw HTML inside <script> tags. Thanks to Mike Wiacek for the patch and Collin Grady for the tests. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8577 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Malcolm Tredinnick
parent
fcf059d539
commit
8c4a525871
|
|
@ -62,20 +62,24 @@ def capfirst(value):
|
||||||
capfirst.is_safe=True
|
capfirst.is_safe=True
|
||||||
capfirst = stringfilter(capfirst)
|
capfirst = stringfilter(capfirst)
|
||||||
|
|
||||||
_js_escapes = (
|
_base_js_escapes = (
|
||||||
('\\', '\\\\'),
|
('\\', r'\x5C'),
|
||||||
('"', '\\"'),
|
('\'', r'\x27'),
|
||||||
("'", "\\'"),
|
('"', r'\x22'),
|
||||||
('\n', '\\n'),
|
('>', r'\x3E'),
|
||||||
('\r', '\\r'),
|
('<', r'\x3C'),
|
||||||
('\b', '\\b'),
|
('&', r'\x26'),
|
||||||
('\f', '\\f'),
|
('=', r'\x3D'),
|
||||||
('\t', '\\t'),
|
('-', r'\x2D'),
|
||||||
('\v', '\\v'),
|
(';', r'\x3B')
|
||||||
('</', '<\\/'),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Escape every ASCII character with a value less than 32.
|
||||||
|
_js_escapes = (_base_js_escapes +
|
||||||
|
tuple([('%c' % z, '\\x%02X' % z) for z in range(32)]))
|
||||||
|
|
||||||
def escapejs(value):
|
def escapejs(value):
|
||||||
"""Backslash-escapes characters for use in JavaScript strings."""
|
"""Hex encodes characters for use in JavaScript strings."""
|
||||||
for bad, good in _js_escapes:
|
for bad, good in _js_escapes:
|
||||||
value = value.replace(bad, good)
|
value = value.replace(bad, good)
|
||||||
return value
|
return value
|
||||||
|
|
|
||||||
|
|
@ -262,5 +262,8 @@ def get_filter_tests():
|
||||||
'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
|
'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
|
||||||
'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You > me'),
|
'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You > me'),
|
||||||
'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You > me'),
|
'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You > me'),
|
||||||
|
|
||||||
|
'escapejs01': (r'{{ a|escapejs }}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
|
||||||
|
'escapejs02': (r'{% autoescape off %}{{ a|escapejs }}{% endautoescape %}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue