mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-04-26 10:14:36 +00:00
Code Issues 32 Releases Wiki Activity
20,525 Commits 29 Branches 441 Tags
Commit Graph

107 Commits

Author SHA1 Message Date
Moritz Sichert
1f2abf784a Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates. 2015-03-27 19:46:20 -04:00
Tim Graham
1c83fc88d6 Fixed an infinite loop possibility in strip_tags(). 
This is a security fix; disclosure to follow shortly.
 2015-03-18 19:20:07 -04:00
Tim Graham
3ed9c7bdfe Fixed #24471 -- Enhanced urlize regex to exclude quotes and angle brackets. 2015-03-10 19:24:46 -04:00
Tim Graham
7b1a67cce5 Fixed escaping regression in urlize filter. 
Now that the URL is always unescaped as of refs #22267,
we should re-escape it before inserting it into the anchor.
 2015-03-10 18:58:34 -04:00
Claude Paroz
ec808e807a Fixed urlize regression with entities in query strings 
Refs #22267.
Thanks Shai Berger for spotting the issue and Tim Graham for the
initial patch.
 2015-03-06 22:20:14 +01:00
Tim Graham
0ed7d15563 Sorted imports with isort; refs #23860. 2015-02-06 08:16:28 -05:00
Tim Graham
fed25f1105 Removed compatibility with Python 3.2. 2015-01-17 09:00:17 -05:00
Aymeric Augustin
6d52f6f8e6 Fixed #23831 -- Supported strings escaped by third-party libs in Django. 
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.
 2014-12-27 18:02:34 +01:00
Jon Dufresne
4468c08d70 Fixed #23968 -- Replaced list comprehension with generators and dict comprehension 2014-12-08 07:58:23 -05:00
Berker Peksag
560b4207b1 Removed redundant numbered parameters from str.format(). 
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
 2014-12-03 14:27:38 -05:00
Markus Holtermann
ed2f96819c Fixed #23715 -- Prevented urlize from treating a trailing ! as part of an URL 
Thanks to 57even for the report.
 2014-10-31 08:06:40 -04:00
Jon Dufresne
54e695331b Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText. 
Thanks Baptiste Mispelon for the report.
 2014-10-20 17:08:29 -04:00
Tim Graham
a4c23f70de Fixed flake8 warnings. 2014-09-09 20:57:26 -04:00
Claude Paroz
b9d9287f59 Fixed urlize after smart_urlquote rewrite 
Refs #22267.
 2014-09-09 21:59:35 +02:00
Claude Paroz
4b8a1d2c0d Fixed #22267 -- Fixed unquote/quote in smart_urlquote 
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
 2014-09-09 21:58:07 +02:00
Tim Graham
1101467ce0 Limited lines to 119 characters in django/ 
refs #23395.
 2014-09-05 09:22:16 -04:00
Tim Graham
e122facbd8 Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter. 
Also the unused, undocumented django.utils.html.strip_entities() function.
 2014-08-15 08:20:02 -04:00
Claude Paroz
e167e96cfe Fixed #22223 -- Prevented over-escaping URLs in reverse() 
And follow more closely the class of characters defined in the
RFC 3986.
Thanks Erik van Zijst for the report and the initial patch, and
Tim Graham for the review.
 2014-07-09 09:54:34 +02:00
LarryBrid
1bb1d3168b Updated urlize regex following a93ee5112d4 
Prevent urlize from turning some.organization, an.intern etc.
into urls. Refs #22941.
 2014-07-04 09:00:16 +02:00
LarryBrid
a93ee5112d Fixed #22941 - Added support for domain-only links with chars after the TLD to urlize. 
It now works with something like google.com/foo/bar
 2014-07-02 20:36:53 -04:00
Tomasz Wysocki
c28beb4291 Refactored and commented strip_tags utility 2014-04-03 21:24:29 +02:00
Alex Gaynor
778ce245dd Corrected many style guide violations that the newest version of flake8 catches 2014-03-30 12:11:05 -07:00
Tim Graham
dadf2ee75f Fixed a deprecation warning with the HTMLParser safe argument. 
refs 6ca6c36f82b97eafeada61384b2e2f1d0587da86
 2014-03-27 09:17:49 -04:00
Alex Gaynor
684e8a941b Removed an unused variable. 2014-03-22 10:11:39 -07:00
Claude Paroz
6ca6c36f82 Improved strip_tags and clarified documentation 
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
 2014-03-22 10:59:18 +01:00
Tim Graham
8b81dee60c Removed fix_ampersands template filter per deprecation timeline. 
Also removed related utility functions:
* django.utils.html.fix_ampersands
* django.utils.html.clean_html
 2014-03-21 08:50:43 -04:00
Claude Paroz
210d0489c5 Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings 
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
 2014-03-08 09:57:40 +01:00
Rodolfo Carvalho
0d91225892 Fixed many typos in comments and docstrings. 
Thanks Piotr Kasprzyk for help with the patch.
 2014-03-03 07:38:09 -05:00
Erik Romijn
775975f15d Fixed #22130 -- Deprecated fix_ampersands, removed utils.clean_html() 2014-03-01 14:07:57 +01:00
Baptiste Mispelon
3eb58f0dd1 Removed unnecessary function-level import. 2013-12-16 15:30:51 +01:00
Vajrasky Kok
db41778e8c Removed unnecessary call to force_text in utils.html.clean_html. 
Refs #21574
 2013-12-16 15:22:54 +01:00
Loic Bistuer
6685713869 Fixed E127 pep8 warnings. 2013-12-14 11:59:15 -05:00
Christopher Medrela
7477a4ffde Fixed E125 pep8 warnings 2013-11-28 08:50:11 -05:00
Ray Ashman Jr
e2ae8b048e Correct flake8 E302 violations 2013-11-02 19:53:29 -04:00
Alex Gaynor
7548aa8ffd More attacking E302 violators 2013-11-02 13:12:09 -07:00
Ray Ashman Jr
dcfc8fa972 Correct flake8 violation E261 2013-11-02 15:27:47 -04:00
Alasdair Nicol
c3aa2948c6 Fixed #21298 -- Fixed E301 pep8 warnings 2013-10-23 13:45:03 +01:00
Alasdair Nicol
b289fcf1bf Fixed #21288 -- Fixed E126 pep8 warnings 2013-10-21 08:31:30 -04:00
Unai Zalakain
af64429b99 Fixed #7261 -- support for __html__ for library interoperability 
The idea is that if an object implements __html__ which returns a string this is
used as HTML representation (eg: on escaping). If the object is a str or unicode
subclass and returns itself the object is a safe string type.

This is an updated patch based on jbalogh and ivank patches.
 2013-10-15 00:42:42 +02:00
Giles Richard Greenway
6c06adad1d Fixed #20364 -- Changed urlize regexes to include quotation marks as punctation. 
Thanks to EmilStenstrom for raising this, and to Chris Piwoński for all of the fixes and most of the tests.
 2013-09-25 22:17:22 +02:00
Alex Gaynor
2530735d2d Fixed a number of flake8 errors -- particularly around unused imports and local variables 2013-09-06 21:56:40 -07:00
Aymeric Augustin
6a6428a36f Took advantage of django.utils.six.moves.urllib.*. 2013-09-05 14:39:23 -05:00
Simon Charette
11cd7388f7 Fixed #20989 -- Removed useless explicit list comprehensions. 2013-08-30 10:57:51 -04:00
Florian Apolloner
b70c371fc1 Simplified smart_urlquote and added some basic tests. 2013-07-28 10:05:39 +02:00
Aymeric Augustin
ffcf24c9ce Removed several unused imports. 2013-06-19 17:18:40 +02:00
Claude Paroz
b664cb818d Fixed #19237 (again) - Made strip_tags consistent between Python versions 2013-05-23 14:01:27 +02:00
Claude Paroz
dc51ec8bc2 Fixed #19237 -- Used HTML parser to strip tags 
The regex method used until now for the strip_tags utility is fast,
but subject to flaws and security issues. Consensus and good
practice lead use to use a slower but safer method.
 2013-05-22 17:34:02 +02:00
Emil Stenström
7d77e9786a Fixed #20246 -- Added non-breaking spaces between values an units 2013-05-18 23:01:48 +02:00
Aymeric Augustin
9c487b5974 Replaced an antiquated pattern. 
Thanks Lennart Regebro for pointing it out.
 2013-05-17 18:08:58 +02:00
Claude Paroz
b474ffe63a Fixed #20172 -- Ensured urlize supports IPv4/IPv6 addresses 
Thanks Marc Aymerich for the report and the initial patch.
 2013-04-01 15:37:37 +02:00