Changed a lot of internal code to use 'format_html' where appropriate/possible

2025-10-24 22:26:08 +00:00 · 2012-07-03 00:31:14 +01:00
parent bee498f3a2
commit a92e7f37c4
12 changed files with 121 additions and 93 deletions
--- a/django/forms/forms.py
+++ b/django/forms/forms.py
@@ -11,7 +11,7 @@ from django.forms.fields import Field, FileField
 from django.forms.util import flatatt, ErrorDict, ErrorList
 from django.forms.widgets import Media, media_property, TextInput, Textarea
 from django.utils.datastructures import SortedDict
-from django.utils.html import conditional_escape
+from django.utils.html import conditional_escape, format_html
 from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode
 from django.utils.safestring import mark_safe

@@ -167,7 +167,7 @@ class BaseForm(StrAndUnicode):
                    # punctuation.
                    if self.label_suffix:
                        if label[-1] not in ':?.!':
-                            label += self.label_suffix
+                            label = format_html('{}{}', label, self.label_suffix)
                    label = bf.label_tag(label) or ''
                else:
                    label = ''
@@ -498,8 +498,8 @@ class BoundField(StrAndUnicode):
    def label_tag(self, contents=None, attrs=None):
        """
        Wraps the given contents in a <label>, if the field has an ID attribute.
-        Does not HTML-escape the contents. If contents aren't given, uses the
-        field's HTML-escaped label.
+        contents should be 'mark_safe'd to avoid HTML escaping. If contents
+        aren't given, uses the field's HTML-escaped label.

        If attrs are given, they're used as HTML attributes on the <label> tag.
        """
@@ -508,7 +508,9 @@ class BoundField(StrAndUnicode):
        id_ = widget.attrs.get('id') or self.auto_id
        if id_:
            attrs = attrs and flatatt(attrs) or ''
-            contents = '<label for="%s"%s>%s</label>' % (widget.id_for_label(id_), attrs, unicode(contents))
+            contents = format_html('<label for="{0}"{1}>{2}</label>',
+                                   widget.id_for_label(id_), attrs, contents
+                                   )
        return mark_safe(contents)

    def css_classes(self, extra_classes=None):
--- a/django/forms/util.py
+++ b/django/forms/util.py
@@ -1,7 +1,7 @@
 from __future__ import unicode_literals

 from django.conf import settings
-from django.utils.html import conditional_escape
+from django.utils.html import format_html, format_html_join
 from django.utils.encoding import StrAndUnicode, force_unicode
 from django.utils.safestring import mark_safe
 from django.utils import timezone
@@ -17,8 +17,10 @@ def flatatt(attrs):
    The returned string will contain a leading space followed by key="value",
    XML-style pairs.  It is assumed that the keys do not need to be XML-escaped.
    If the passed dictionary is empty, then return an empty string.
+
+    The result is passed through 'mark_safe'.
    """
-    return ''.join([' %s="%s"' % (k, conditional_escape(v)) for k, v in attrs.items()])
+    return format_html_join('', ' {}="{}"', attrs.items())

 class ErrorDict(dict, StrAndUnicode):
    """
@@ -31,9 +33,11 @@ class ErrorDict(dict, StrAndUnicode):

    def as_ul(self):
        if not self: return ''
-        return mark_safe('<ul class="errorlist">%s</ul>'
-                % ''.join(['<li>%s%s</li>' % (k, conditional_escape(force_unicode(v)))
-                    for k, v in self.items()]))
+        return format_html('<ul class="errorlist">{}</ul>',
+                           format_html_join('', '<li>{0}{1}</li>',
+                                            ((k, force_unicode(v))
+                                             for k, v in self.items())
+                           ))

    def as_text(self):
        return '\n'.join(['* %s\n%s' % (k, '\n'.join(['  * %s' % force_unicode(i) for i in v])) for k, v in self.items()])
@@ -47,8 +51,11 @@ class ErrorList(list, StrAndUnicode):

    def as_ul(self):
        if not self: return ''
-        return mark_safe('<ul class="errorlist">%s</ul>'
-                % ''.join(['<li>%s</li>' % conditional_escape(force_unicode(e)) for e in self]))
+        return format_html('<ul class="errorlist">{}</ul>',
+                           format_html_join('', '<li>{}</li>',
+                                            ((force_unicode(e),) for e in self)
+                                            )
+                           )

    def as_text(self):
        if not self: return ''
--- a/django/forms/widgets.py
+++ b/django/forms/widgets.py
@@ -12,7 +12,7 @@ from urlparse import urljoin
 from django.conf import settings
 from django.forms.util import flatatt, to_current_timezone
 from django.utils.datastructures import MultiValueDict, MergeDict
-from django.utils.html import escape, conditional_escape
+from django.utils.html import conditional_escape, format_html, format_html_join
 from django.utils.translation import ugettext, ugettext_lazy
 from django.utils.encoding import StrAndUnicode, force_unicode
 from django.utils.safestring import mark_safe
@@ -53,7 +53,7 @@ class Media(StrAndUnicode):
        return mark_safe('\n'.join(chain(*[getattr(self, 'render_' + name)() for name in MEDIA_TYPES])))

    def render_js(self):
-        return ['<script type="text/javascript" src="%s"></script>' % self.absolute_path(path) for path in self._js]
+        return [format_html('<script type="text/javascript" src="{0}"></script>', self.absolute_path(path)) for path in self._js]

    def render_css(self):
        # To keep rendering order consistent, we can't just iterate over items().
@@ -61,7 +61,7 @@ class Media(StrAndUnicode):
        media = self._css.keys()
        media.sort()
        return chain(*[
-            ['<link href="%s" type="text/css" media="%s" rel="stylesheet" />' % (self.absolute_path(path), medium)
+                [format_html('<link href="{0}" type="text/css" media="{1}" rel="stylesheet" />', self.absolute_path(path), medium)
                    for path in self._css[medium]]
                for medium in media])

@@ -254,7 +254,7 @@ class Input(Widget):
        if value != '':
            # Only add the 'value' attribute if a value is non-empty.
            final_attrs['value'] = force_unicode(self._format_value(value))
-        return mark_safe('<input%s />' % flatatt(final_attrs))
+        return format_html('<input{} />', flatatt(final_attrs))

 class TextInput(Input):
    input_type = 'text'
@@ -295,7 +295,7 @@ class MultipleHiddenInput(HiddenInput):
                # An ID attribute was given. Add a numeric index as a suffix
                # so that the inputs don't all have the same ID attribute.
                input_attrs['id'] = '%s_%s' % (id_, i)
-            inputs.append('<input%s />' % flatatt(input_attrs))
+            inputs.append(format_html('<input{} />', flatatt(input_attrs)))
        return mark_safe('\n'.join(inputs))

    def value_from_datadict(self, data, files, name):
@@ -355,9 +355,9 @@ class ClearableFileInput(FileInput):

        if value and hasattr(value, "url"):
            template = self.template_with_initial
-            substitutions['initial'] = ('<a href="%s">%s</a>'
-                                        % (escape(value.url),
-                                           escape(force_unicode(value))))
+            substitutions['initial'] = format_html('<a href="{0}">{1}</a>',
+                                                   value.url,
+                                                   force_unicode(value))
            if not self.is_required:
                checkbox_name = self.clear_checkbox_name(name)
                checkbox_id = self.clear_checkbox_id(checkbox_name)
@@ -392,8 +392,9 @@ class Textarea(Widget):
    def render(self, name, value, attrs=None):
        if value is None: value = ''
        final_attrs = self.build_attrs(attrs, name=name)
-        return mark_safe('<textarea%s>%s</textarea>' % (flatatt(final_attrs),
-                conditional_escape(force_unicode(value))))
+        return format_html('<textarea{0}>{1}</textarea>',
+                           flatatt(final_attrs),
+                           force_unicode(value))

 class DateInput(Input):
    input_type = 'text'
@@ -511,7 +512,7 @@ class CheckboxInput(Widget):
        if not (value is True or value is False or value is None or value == ''):
            # Only add the 'value' attribute if a value is non-empty.
            final_attrs['value'] = force_unicode(value)
-        return mark_safe('<input%s />' % flatatt(final_attrs))
+        return format_html('<input{} />', flatatt(final_attrs))

    def value_from_datadict(self, data, files, name):
        if name not in data:
@@ -543,7 +544,7 @@ class Select(Widget):
    def render(self, name, value, attrs=None, choices=()):
        if value is None: value = ''
        final_attrs = self.build_attrs(attrs, name=name)
-        output = ['<select%s>' % flatatt(final_attrs)]
+        output = [format_html('<select{}>', flatatt(final_attrs))]
        options = self.render_options(choices, [value])
        if options:
            output.append(options)
@@ -553,15 +554,16 @@ class Select(Widget):
    def render_option(self, selected_choices, option_value, option_label):
        option_value = force_unicode(option_value)
        if option_value in selected_choices:
-            selected_html = ' selected="selected"'
+            selected_html = mark_safe(' selected="selected"')
            if not self.allow_multiple_selected:
                # Only allow for a single selection.
                selected_choices.remove(option_value)
        else:
            selected_html = ''
-        return '<option value="%s"%s>%s</option>' % (
-            escape(option_value), selected_html,
-            conditional_escape(force_unicode(option_label)))
+        return format_html('<option value="{0}"{1}>{2}</option>',
+                           option_value,
+                           selected_html,
+                           force_unicode(option_label))

    def render_options(self, choices, selected_choices):
        # Normalize to strings.
@@ -569,7 +571,7 @@ class Select(Widget):
        output = []
        for option_value, option_label in chain(self.choices, choices):
            if isinstance(option_label, (list, tuple)):
-                output.append('<optgroup label="%s">' % escape(force_unicode(option_value)))
+                output.append(format_html('<optgroup label="{0}">', force_unicode(option_value)))
                for option in option_label:
                    output.append(self.render_option(selected_choices, *option))
                output.append('</optgroup>')
@@ -618,7 +620,7 @@ class SelectMultiple(Select):
    def render(self, name, value, attrs=None, choices=()):
        if value is None: value = []
        final_attrs = self.build_attrs(attrs, name=name)
-        output = ['<select multiple="multiple"%s>' % flatatt(final_attrs)]
+        output = [format_html('<select multiple="multiple"{}>', flatatt(final_attrs))]
        options = self.render_options(choices, value)
        if options:
            output.append(options)
@@ -662,11 +664,11 @@ class RadioInput(SubWidget):
        value = value or self.value
        attrs = attrs or self.attrs
        if 'id' in self.attrs:
-            label_for = ' for="%s_%s"' % (self.attrs['id'], self.index)
+            label_for = format_html(' for="{0}_{1}"', self.attrs['id'], self.index)
        else:
            label_for = ''
-        choice_label = conditional_escape(force_unicode(self.choice_label))
-        return mark_safe('<label%s>%s %s</label>' % (label_for, self.tag(), choice_label))
+        choice_label = force_unicode(self.choice_label)
+        return format_html('<label{0}>{1} {2}</label>', label_for, self.tag(), choice_label)

    def is_checked(self):
        return self.value == self.choice_value
@@ -677,7 +679,7 @@ class RadioInput(SubWidget):
        final_attrs = dict(self.attrs, type='radio', name=self.name, value=self.choice_value)
        if self.is_checked():
            final_attrs['checked'] = 'checked'
-        return mark_safe('<input%s />' % flatatt(final_attrs))
+        return format_html('<input{} />', flatatt(final_attrs))

 class RadioFieldRenderer(StrAndUnicode):
    """
@@ -701,8 +703,10 @@ class RadioFieldRenderer(StrAndUnicode):

    def render(self):
        """Outputs a <ul> for this set of radio fields."""
-        return mark_safe('<ul>\n%s\n</ul>' % '\n'.join(['<li>%s</li>'
-                % force_unicode(w) for w in self]))
+        return format_html('<ul>\n{0}\n</ul>',
+                           format_html_join('\n', '<li>{0}</li>',
+                                            [(force_unicode(w),) for w in self]
+                                            ))

 class RadioSelect(Select):
    renderer = RadioFieldRenderer
@@ -751,15 +755,16 @@ class CheckboxSelectMultiple(SelectMultiple):
            # so that the checkboxes don't all have the same ID attribute.
            if has_id:
                final_attrs = dict(final_attrs, id='%s_%s' % (attrs['id'], i))
-                label_for = ' for="%s"' % final_attrs['id']
+                label_for = format_html(' for="{0}"', final_attrs['id'])
            else:
                label_for = ''

            cb = CheckboxInput(final_attrs, check_test=lambda value: value in str_values)
            option_value = force_unicode(option_value)
            rendered_cb = cb.render(name, option_value)
-            option_label = conditional_escape(force_unicode(option_label))
-            output.append('<li><label%s>%s %s</label></li>' % (label_for, rendered_cb, option_label))
+            option_label = force_unicode(option_label)
+            output.append(format_html('<li><label{0}>{1} {2}</label></li>',
+                                      label_for, rendered_cb, option_label))
        output.append('</ul>')
        return mark_safe('\n'.join(output))