Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359

See documentation in templates.txt and templates_python.txt for how everything works. Backwards incompatible if you're inserting raw HTML output via template variables. Based on an original design from Simon Willison and with debugging help from Michael Radziej. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-24 14:16:09 +00:00 · 2007-11-14 12:58:53 +00:00
parent babfe78494
commit 356662cf74
53 changed files with 1208 additions and 328 deletions
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -3,6 +3,7 @@ import urllib
 import datetime

 from django.utils.functional import Promise
+from django.utils.safestring import SafeData, mark_safe

 class DjangoUnicodeDecodeError(UnicodeDecodeError):
    def __init__(self, obj, *args):
@@ -51,7 +52,10 @@ def force_unicode(s, encoding='utf-8', strings_only=False, errors='strict'):
            else:
                s = unicode(str(s), encoding, errors)
        elif not isinstance(s, unicode):
-            s = unicode(s, encoding, errors)
+            # Note: We use .decode() here, instead of unicode(s, encoding,
+            # errors), so that if s is a SafeString, it ends up being a
+            # SafeUnicode at the end.
+            s = s.decode(encoding, errors)
    except UnicodeDecodeError, e:
        raise DjangoUnicodeDecodeError(s, *e.args)
    return s