diff --git a/django/template/__init__.py b/django/template/__init__.py index 66c415a8c41..203b5e7582a 100644 --- a/django/template/__init__.py +++ b/django/template/__init__.py @@ -538,8 +538,6 @@ class FilterExpression(object): var_obj = None elif var is None: raise TemplateSyntaxError("Could not find variable at start of %s." % token) - elif var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_': - raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var) else: var_obj = Variable(var) else: @@ -698,6 +696,8 @@ class Variable(object): except ValueError: # Otherwise we'll set self.lookups so that resolve() knows we're # dealing with a bonafide variable + if var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_': + raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var) self.lookups = tuple(var.split(VARIABLE_ATTRIBUTE_SEPARATOR)) def resolve(self, context): diff --git a/tests/regressiontests/templates/parser.py b/tests/regressiontests/templates/parser.py index 9e6ad2166e7..4db54556ed6 100644 --- a/tests/regressiontests/templates/parser.py +++ b/tests/regressiontests/templates/parser.py @@ -76,6 +76,13 @@ u"Some 'Bad' News" [] >>> fe.var u'Some "Good" News' + +Filtered variables should reject access of attributes beginning with underscores. + +>>> FilterExpression('article._hidden|upper', p) +Traceback (most recent call last): +... +TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden' """ variable_parsing = r""" @@ -105,4 +112,10 @@ u'Some "Good" News' >>> Variable(ur"'Some \'Better\' News'").resolve(c) u"Some 'Better' News" +Variables should reject access of attributes beginning with underscores. + +>>> Variable('article._hidden') +Traceback (most recent call last): +... +TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden' """