Commit Graph

19 Commits

Author SHA1 Message Date
Shai Berger 5112e65ef2 Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2016-05-19 05:02:19 +03:00
Aaron Elliot Ross 19a5f6da32 Fixed #25469 -- Added autoescape option to DjangoTemplates backend.
Thanks Aymeric for the initial patch and Carl for review.
2015-11-12 19:14:23 -05:00
Tim Graham 9114fe8ada Removed support for passing a context to a generic Template.render().
Per deprecation timeline; refs a3e783fe11.
2015-09-23 19:31:11 -04:00
Tim Graham aaacaeb096 Renamed RemovedInDjangoXYWarnings for new roadmap.
Forwardport of ae1d663b79
from stable/1.8.x plus more.
2015-06-24 16:08:20 -04:00
Preston Timmons 655f524915 Fixed #17085, #24783 -- Refactored template library registration.
* Converted the ``libraries`` and ``builtins`` globals of
  ``django.template.base`` into properties of the Engine class.
* Added a public API for explicit registration of libraries and builtins.
2015-05-21 09:12:06 -05:00
Simon Charette ead36e8a47 Refs #24652 -- Made sure template backend tests call their super setUpClass. 2015-05-20 12:50:40 -04:00
Preston Timmons adff499e47 Fixed #24119, #24120 -- Formalized debug integration for template backends. 2015-05-06 17:33:47 -05:00
Aymeric Augustin 1563b897c4 Fixed #24685 -- Fixed check for template name unicity.
Thanks Preston Timmons for the report.
2015-05-03 21:49:16 +02:00
Tim Graham a184a99123 Refs #24538 -- Simplified a test per Aymeric's feedback. 2015-04-01 13:08:43 -04:00
Tim Heap 4ea1909d3c Fixed #24538 -- Allowed self in Jinja context
Rendering a Jinja template with self in the context threw an error.
While self is a reserved variable in Jinja, including self in the
context is not an error, so Django should respect that.
2015-04-01 12:26:57 -04:00
Moritz Sichert 6bff343989 Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django templates. 2015-03-18 09:11:01 -04:00
Tim Graham 0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Aymeric Augustin 44ad691558 Fixed #24265 -- Preserved template backend loading exceptions.
If importing or initializing a template backend fails, attempting to
access this template backend again must raise the same exception.
2015-02-05 20:06:18 +01:00
Tim Graham fed25f1105 Removed compatibility with Python 3.2. 2015-01-17 09:00:17 -05:00
Aymeric Augustin a3e783fe11 Deprecated passing a Context to a generic Template.render.
A deprecation path is required because the return type of
django.template.loader.get_template changed during the
multiple template engines refactor.

test_csrf_token_in_404 was incorrect: it tested the case when the
hardcoded template was rendered, and that template doesn't depend on the
CSRF token. This commit makes it test the case when a custom template is
rendered.
2015-01-12 21:01:34 +01:00
Aymeric Augustin 71b7668b75 Rewrapped TemplateSyntaxError in Jinja2 backend.
Changed import style to avoid confusion between Django's and Jinja2's
APIs.
2015-01-12 21:01:34 +01:00
Aymeric Augustin 0cdb09d489 Made context take priority over context processors.
This is the expected behavior, but given RequestContext's tortuous
implementation, a straightforward use of its API results in the
opposite.

This commits fixes a regression that must have happened at different
points in the multiple templates engine refactor for different features.
2015-01-06 22:02:27 +01:00
Tim Graham 40ccef16cb Silenced an ImportWarning in the template_backends tests. 2015-01-01 14:28:53 -05:00
Aymeric Augustin 332154e726 Added basic tests for template backends. 2014-12-28 16:23:00 +01:00