Tim Graham
de67dedc77
[1.7.x] Fixed is_safe_url() to handle leading whitespace.
...
This is a security fix. Disclosure following shortly.
2015-01-13 13:02:56 -05:00
Aymeric Augustin
3483682749
[1.7.x] Fixed #23831 -- Supported strings escaped by third-party libs in Django.
...
Refs #7261 -- Made strings escaped by Django usable in third-party libs.
The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.
Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.
Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.
Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.
Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:
if isinstance(text, SafeData):
return text
else:
return escape(text)
render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.
This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.
Thanks mitsuhiko for the report.
Backport of 6d52f6f
2014-12-27 18:26:20 +01:00
Aymeric Augustin
b429a9796a
[1.7.x] Fixed an inconsistency introduced in 547b1810.
...
mark_safe and mark_for_escaping should have been kept similar.
On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.
Backport of 5c5eb5fe
2014-12-27 18:17:18 +01:00
Oscar Ramirez
1ad5deedd4
[1.7.x] Fixed #23998 -- Added datetime.time support to migrations questioner.
...
Backport of 54085b0f9b
2014-12-22 07:26:57 -05:00
Ian Foote
d830665007
[1.7.x] Fixed #23333 -- Made urlsafe_base64_decode() return proper type on Python 3.
...
Backport of 03d89168a2
2014-10-08 14:03:46 -04:00
Tim Graham
5736631233
[1.7.x] Fixed test failure on Windows.
...
os.close(fd) is needed to avoid "The process cannot access the file
because it is being used by another process"
Backport of c2ab501bab
2014-07-30 14:33:58 -04:00
Tim Graham
d1c08d4758
[1.7.x] Fixed bad usage of rstrip() that caused test failure.
...
If the temporary file name contained a p or y as its last
characters, it would be stripped. refs #23083 .
Backport of 57d2b3f2a7
2014-07-25 15:17:18 -04:00
Tim Graham
4f8a5bd8d0
[1.7.x] Fixed #23083 -- Fixed runserver reloading when deleting a file.
...
Thanks Collin Anderson for the report and hirokiky for the fix.
Backport of b8cb5ba708
2014-07-25 13:25:16 -04:00
Claude Paroz
f2011e21a2
[1.7.x] Fixed #22991 -- Prevented *.pyc files in autoreload monitoring
...
This fixes a regression introduced in 6d302f6394e424084e
2014-07-15 09:59:25 +02:00
Tim Graham
0100afb013
[1.7.x] Fixed flake8 errors.
...
Backport of fddd95254e
2014-07-07 19:13:00 -04:00
Tim Graham
28962c57f3
[1.7.x] Fixed #22909 -- Removed camelCasing in some tests.
...
Thanks brylie.
Backport of 89b9e6e5d6
2014-07-07 19:10:48 -04:00
Claude Paroz
1bb8ccdb9e
[1.7.x] Fixed pyinotify performance regression in 15f82c7011
...
Refs #9722 . Thanks Tim Graham for the review.
Backport of 6d302f639
2014-07-06 21:45:09 +02:00
Richard Eames
8dcc7810f0
[1.7.x] Fixed #22814 -- Allowed ISO-8601 [+-]hh timezone format in parse_datetime
...
Backport of 7beaeeed
2014-06-25 10:58:23 +02:00
Alexandr Shurigin
8d6e0d4588
[1.7.x] Fixed #22681 -- Made TarArchive recognize leading directories properly.
...
Backport of 083d285b82
2014-06-03 15:03:32 -04:00
Alex Gaynor
8b87473008
[1.7.x] Fixed several flake8 errors, including one where a test wouldn't be run
...
Backport of b6b873d2ad
2014-05-17 13:31:09 -04:00
Aymeric Augustin
62de03ee33
[1.7.x] Optimized make_aware/naive by removing redundant checks. Refs #22625 .
...
Also added tests with pytz and removed misplaced tests.
Backport of 1109ebd
2014-05-16 23:14:13 +02:00
Aymeric Augustin
6f8301d6cd
[1.7.x] Fixed #22625 -- Normalized make_aware/naive errors.
...
Also added tests for is/make_aware/naive.
Thanks Tom Michaelis for the report.
Backport of fa89acf
2014-05-16 22:54:21 +02:00
Claude Paroz
e8a7436941
[1.7.x] Harmonized some PEP 0263 coding preambles
...
Backport of e520a73ee
2014-05-15 20:01:31 +02:00
Erik Romijn
e7b0cace45
[1.7.x] Added additional checks in is_safe_url to account for flexible parsing.
...
This is a security fix. Disclosure following shortly.
2014-05-14 10:18:27 +02:00
Aymeric Augustin
7fef18ba9e
[1.7.x] Dropped fix_IE_for_vary/attach.
...
This is a security fix. Disclosure following shortly.
2014-05-14 10:18:26 +02:00
Tim Graham
0f9f8738d5
[1.7.x] Fixed #22338 -- Fixed a test dependent on dictionary key iteration order.
...
Backport of 69a4f383f6
2014-03-30 14:27:05 -04:00
Tim Graham
3d74f1f64a
[1.7.x] Fixed a deprecation warning on Python 3.
...
Backport of c19bbefca2
2014-03-27 07:01:04 -04:00
Claude Paroz
07d4b3c8f2
[1.7.x] Tweaked strip_tags tests to pass on Python 3.3
...
Backport of 6a0291bdaf
2014-03-22 14:44:13 +01:00
Claude Paroz
80f08dbdbc
[1.7.x] Improved strip_tags and clarified documentation
...
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f82
2014-03-22 11:01:14 +01:00
Baptiste Mispelon
61917aa08b
Fixed #21840 -- Moved dunder methods from SimpleLazyObject to LazyObject.
...
This commit also added tests for LazyObject and refactored
the testsuite of SimpleLazyObject so that it can share
test cases with LazyObject.
2014-03-13 10:03:01 +01:00
Claude Paroz
210d0489c5
Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
...
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
2014-03-08 09:57:40 +01:00
Claude Paroz
ac699cdc17
Really hidden warnings in javascript_quote tests
...
Refs #21725 .
2014-03-05 09:00:55 +01:00
Erik Romijn
775975f15d
Fixed #22130 -- Deprecated fix_ampersands, removed utils.clean_html()
2014-03-01 14:07:57 +01:00
Baptiste Mispelon
926e18d7d1
Deprecated django.utils.text.javascript_quote.
...
Refs #21725 .
2014-02-22 13:50:12 +01:00
Baptiste Mispelon
847171b0d0
Fixed test failures when running in a narrow Python build.
2014-02-22 13:50:12 +01:00
MattBlack85
1c1dffca75
Fixed #21725 -- Fixed JavaScript quoting encoding.
...
Thanks to nedbatchelder for the report.
2014-02-15 19:39:21 +01:00
Berker Peksag
5d263dee30
Fixed #21674 -- Deprecated the import_by_path() function in favor of import_string().
...
Thanks Aymeric Augustin for the suggestion and review.
2014-02-08 11:12:19 -05:00
Vajrasky Kok
c43c469a2e
Fixed #21731 -- Made javascript_quote escapes '</'.
2014-02-06 04:02:09 -05:00
Alex Gaynor
55d19d370f
Removed import which is now unused
2014-02-05 13:26:56 -08:00
Baptiste Mispelon
a878bf9b09
Revert "Fixed #20296 -- Allowed SafeData and EscapeData to be lazy"
...
This reverts commit 2ee447fb5f#21882 ) and didn't really
do what it was supposed to: while it did delay the evaluation
of lazy objects passed to mark_safe(), they weren't actually
marked as such so they could end up being escaped twice.
Refs #21882 .
2014-02-05 21:22:40 +01:00
Carl Meyer
ca95f8e435
Moved sys.path-extending decorator to django.test.utils and used throughout test suite.
...
Thanks Aymeric for the suggestion.
2014-01-25 22:50:40 -07:00
Aymeric Augustin
9cc3371a0f
Fixed #21756 -- Skipped two timezone-related tests on Windows.
...
Windows cannot use a time zone other than the default time zone.
Thanks manfre for the report.
2014-01-12 09:41:57 +01:00
Aymeric Augustin
e32095616c
Imported override_settings from its new location.
2013-12-23 21:37:56 +01:00
Aymeric Augustin
da16bb30ff
Dropped AppCache._empty, _with_app and _without_app.
...
It's now easier to achieve the same effect with modify_settings or
override_settings.
2013-12-23 21:37:56 +01:00
Aymeric Augustin
2fef9e5375
Moved apps back in the toplevel django namespace.
...
Reverted 4a56a93cc4
2013-12-22 11:39:55 +01:00
Aymeric Augustin
2239081ff1
Expurged INSTALLED_APPS from code and tests.
...
Except the app cache code and a few specific tests, of course.
2013-12-22 11:39:18 +01:00
Aymeric Augustin
65cd74be8e
Stopped iterating on INSTALLED_APPS.
...
Used the app cache's get_app_configs() method instead.
2013-12-22 11:39:18 +01:00
Loic Bistuer
6685713869
Fixed E127 pep8 warnings.
2013-12-14 11:59:15 -05:00
Baptiste Mispelon
2c837233f5
Fixed #21574 -- Handle bytes consistently in utils.text.normalize_newlines.
...
All input is now coerced to text before being normalized.
This changes nothing under Python 2 but it allows bytes
to be passed to the function without a TypeError under Python3
(bytes are assumed to be utf-8 encoded text).
Thanks to trac user vajrasky for the report.
2013-12-12 16:09:12 +01:00
Vajrasky Kok
a1a26690b9
Fixed #21572 -- Added unit test for django.utils.text.normalize_newlines.
2013-12-07 16:28:22 +08:00
Vajrasky Kok
7169722d5c
Fixed #21505 -- Added unit test for django.utils.text.get_valid_filename.
2013-11-24 11:10:34 +01:00
Bouke Haarsma
2397daab4a
Fixed #9523 -- Restart runserver after compiling apps translations
...
Django also uses locales provided by apps, which also might change. Also when
i18n is disabled, there is no need for watching translation files.
2013-11-11 11:43:09 +01:00
Alex Gaynor
c347f78cc1
Fixed all E226 violations
2013-11-03 10:08:55 -08:00
Jason Myers
c3791463a5
Fixing E302 Errors
...
Signed-off-by: Jason Myers <jason@jasonamyers.com >
2013-11-02 23:48:47 -05:00
Tim Graham
36ded01527
Fixed #21302 -- Fixed unused imports and import *.
2013-11-02 15:24:56 -04:00
