test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #7177 -- Added extra robustness to the escapejs filter so that all 

invalid characters are correctly escaped. This avoids any chance to inject raw
HTML inside <script> tags. Thanks to Mike Wiacek for the patch and Collin Grady
for the tests.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8577 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Malcolm Tredinnick 2008-08-26 07:56:32 +00:00
parent fcf059d539
commit 8c4a525871
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
django/template/defaultfilters.py
View File

@ -62,20 +62,24 @@ def capfirst(value):
capfirst.is_safe=True capfirst.is_safe=True
capfirst = stringfilter(capfirst) capfirst = stringfilter(capfirst)
_js_escapes = ( _base_js_escapes = (
('\\', '\\\\'), ('\\', r'\x5C'),
('"', '\\"'), ('\'', r'\x27'),
("'", "\\'"), ('"', r'\x22'),
('\n', '\\n'), ('>', r'\x3E'),
('\r', '\\r'), ('<', r'\x3C'),
('\b', '\\b'), ('&', r'\x26'),
('\f', '\\f'), ('=', r'\x3D'),
('\t', '\\t'), ('-', r'\x2D'),
('\v', '\\v'), (';', r'\x3B')
('</', '<\\/'),
) )
# Escape every ASCII character with a value less than 32.
_js_escapes = (_base_js_escapes +
tuple([('%c' % z, '\\x%02X' % z) for z in range(32)]))
def escapejs(value): def escapejs(value):
"""Backslash-escapes characters for use in JavaScript strings.""" """Hex encodes characters for use in JavaScript strings."""
for bad, good in _js_escapes: for bad, good in _js_escapes:
value = value.replace(bad, good) value = value.replace(bad, good)
return value return value

3
tests/regressiontests/templates/filters.py
View File

@ -262,5 +262,8 @@ def get_filter_tests():
'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'), 'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You &gt; me'), 'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You &gt; me'),
'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You &gt; me'), 'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You &gt; me'),
'escapejs01': (r'{{ a|escapejs }}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
'escapejs02': (r'{% autoescape off %}{{ a|escapejs }}{% endautoescape %}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
} }