mirror of
https://github.com/django/django.git
synced 2024-12-01 15:42:04 +01:00
6d52f6f8e6
Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter |escape accounts for __html__() when it's available. |force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report.
108 lines
3.6 KiB
Python
108 lines
3.6 KiB
Python
from __future__ import unicode_literals
|
|
|
|
from django.template import Template, Context
|
|
from django.test import TestCase
|
|
from django.utils.encoding import force_text, force_bytes
|
|
from django.utils.functional import lazy
|
|
from django.utils.safestring import mark_safe, mark_for_escaping, SafeData, EscapeData
|
|
from django.utils import six
|
|
from django.utils import text
|
|
from django.utils import html
|
|
|
|
lazystr = lazy(force_text, six.text_type)
|
|
lazybytes = lazy(force_bytes, bytes)
|
|
|
|
|
|
class customescape(six.text_type):
|
|
def __html__(self):
|
|
# implement specific and obviously wrong escaping
|
|
# in order to be able to tell for sure when it runs
|
|
return self.replace('<', '<<').replace('>', '>>')
|
|
|
|
|
|
class SafeStringTest(TestCase):
|
|
def assertRenderEqual(self, tpl, expected, **context):
|
|
context = Context(context)
|
|
tpl = Template(tpl)
|
|
self.assertEqual(tpl.render(context), expected)
|
|
|
|
def test_mark_safe(self):
|
|
s = mark_safe('a&b')
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
self.assertRenderEqual('{{ s|force_escape }}', 'a&b', s=s)
|
|
|
|
def test_mark_safe_object_implementing_dunder_html(self):
|
|
e = customescape('<a&b>')
|
|
s = mark_safe(e)
|
|
self.assertIs(s, e)
|
|
|
|
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
|
|
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
|
|
|
|
def test_mark_safe_lazy(self):
|
|
s = lazystr('a&b')
|
|
b = lazybytes(b'a&b')
|
|
|
|
self.assertIsInstance(mark_safe(s), SafeData)
|
|
self.assertIsInstance(mark_safe(b), SafeData)
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=mark_safe(s))
|
|
|
|
def test_mark_safe_object_implementing_dunder_str(self):
|
|
class Obj(object):
|
|
def __str__(self):
|
|
return '<obj>'
|
|
|
|
s = mark_safe(Obj())
|
|
|
|
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
|
|
|
|
def test_mark_safe_result_implements_dunder_html(self):
|
|
self.assertEqual(mark_safe('a&b').__html__(), 'a&b')
|
|
|
|
def test_mark_safe_lazy_result_implements_dunder_html(self):
|
|
self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b')
|
|
|
|
def test_mark_for_escaping(self):
|
|
s = mark_for_escaping('a&b')
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s))
|
|
|
|
def test_mark_for_escaping_object_implementing_dunder_html(self):
|
|
e = customescape('<a&b>')
|
|
s = mark_for_escaping(e)
|
|
self.assertIs(s, e)
|
|
|
|
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
|
|
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
|
|
|
|
def test_mark_for_escaping_lazy(self):
|
|
s = lazystr('a&b')
|
|
b = lazybytes(b'a&b')
|
|
|
|
self.assertIsInstance(mark_for_escaping(s), EscapeData)
|
|
self.assertIsInstance(mark_for_escaping(b), EscapeData)
|
|
self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s))
|
|
|
|
def test_mark_for_escaping_object_implementing_dunder_str(self):
|
|
class Obj(object):
|
|
def __str__(self):
|
|
return '<obj>'
|
|
|
|
s = mark_for_escaping(Obj())
|
|
|
|
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
|
|
|
|
def test_add_lazy_safe_text_and_safe_text(self):
|
|
s = html.escape(lazystr('a'))
|
|
s += mark_safe('&b')
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
s = html.escapejs(lazystr('a'))
|
|
s += mark_safe('&b')
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
s = text.slugify(lazystr('a'))
|
|
s += mark_safe('&b')
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|