Skip to content

Commit 356662c

Browse files
malcolmtmalcolmt
committed
Implemented auto-escaping of variable output in templates. Fully controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359
See documentation in templates.txt and templates_python.txt for how everything works. Backwards incompatible if you're inserting raw HTML output via template variables. Based on an original design from Simon Willison and with debugging help from Michael Radziej. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent babfe78 commit 356662c

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

53 files changed

+1202
-322
lines changed

django/contrib/admin/filterspecs.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99
from django.db import models
1010
from django.utils.encoding import smart_unicode, iri_to_uri
1111
from django.utils.translation import ugettext as _
12+
from django.utils.html import escape
13+
from django.utils.safestring import mark_safe
1214
import datetime
1315

1416
class FilterSpec(object):
@@ -39,15 +41,15 @@ def title(self):
3941
def output(self, cl):
4042
t = []
4143
if self.has_output():
42-
t.append(_(u'<h3>By %s:</h3>\n<ul>\n') % self.title())
44+
t.append(_(u'<h3>By %s:</h3>\n<ul>\n') % escape(self.title()))
4345

4446
for choice in self.choices(cl):
4547
t.append(u'<li%s><a href="%s">%s</a></li>\n' % \
4648
((choice['selected'] and ' class="selected"' or ''),
4749
iri_to_uri(choice['query_string']),
4850
choice['display']))
4951
t.append('</ul>\n\n')
50-
return "".join(t)
52+
return mark_safe("".join(t))
5153

5254
class RelatedFilterSpec(FilterSpec):
5355
def __init__(self, f, request, params, model):

django/contrib/admin/models.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
from django.contrib.auth.models import User
44
from django.utils.translation import ugettext_lazy as _
55
from django.utils.encoding import smart_unicode
6+
from django.utils.safestring import mark_safe
67

78
ADDITION = 1
89
CHANGE = 2
@@ -49,4 +50,4 @@ def get_admin_url(self):
4950
Returns the admin URL to edit the object represented by this log entry.
5051
This is relative to the Django admin index page.
5152
"""
52-
return u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id)
53+
return mark_safe(u"%s/%s/%s/" % (self.content_type.app_label, self.content_type.model, self.object_id))

django/contrib/admin/templates/admin/base_site.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{% extends "admin/base.html" %}
22
{% load i18n %}
33

4-
{% block title %}{{ title|escape }} | {% trans 'Django site admin' %}{% endblock %}
4+
{% block title %}{{ title }} | {% trans 'Django site admin' %}{% endblock %}
55

66
{% block branding %}
77
<h1 id="site-name">{% trans 'Django administration' %}</h1>

django/contrib/admin/templates/admin/change_form.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,8 @@
1010
{% block breadcrumbs %}{% if not is_popup %}
1111
<div class="breadcrumbs">
1212
<a href="../../../">{% trans "Home" %}</a> &rsaquo;
13-
<a href="../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo;
14-
{% if add %}{% trans "Add" %} {{ opts.verbose_name|escape }}{% else %}{{ original|truncatewords:"18"|escape }}{% endif %}
13+
<a href="../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo;
14+
{% if add %}{% trans "Add" %} {{ opts.verbose_name }}{% else %}{{ original|truncatewords:"18" }}{% endif %}
1515
</div>
1616
{% endif %}{% endblock %}
1717
{% block content %}<div id="content-main">

django/contrib/admin/templates/admin/date_hierarchy.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
{% if show %}
22
<div class="xfull">
33
<ul class="toplinks">
4-
{% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title|escape }}</a></li>{% endif %}
4+
{% if back %}<li class="date-back"><a href="{{ back.link }}">&lsaquo; {{ back.title }}</a></li>{% endif %}
55
{% for choice in choices %}
6-
<li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title|escape }}{% if choice.link %}</a>{% endif %}</li>
6+
<li> {% if choice.link %}<a href="{{ choice.link }}">{% endif %}{{ choice.title }}{% if choice.link %}</a>{% endif %}</li>
77
{% endfor %}
88
</ul><br class="clear" />
99
</div>

django/contrib/admin/templates/admin/delete_confirmation.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
{% block breadcrumbs %}
44
<div class="breadcrumbs">
55
<a href="../../../../">{% trans "Home" %}</a> &rsaquo;
6-
<a href="../../">{{ opts.verbose_name_plural|capfirst|escape }}</a> &rsaquo;
6+
<a href="../../">{{ opts.verbose_name_plural|capfirst }}</a> &rsaquo;
77
<a href="../">{{ object|escape|truncatewords:"18" }}</a> &rsaquo;
88
{% trans 'Delete' %}
99
</div>
@@ -13,7 +13,7 @@
1313
<p>{% blocktrans with object|escape as escaped_object %}Deleting the {{ object_name }} '{{ escaped_object }}' would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:{% endblocktrans %}</p>
1414
<ul>
1515
{% for obj in perms_lacking %}
16-
<li>{{ obj|escape }}</li>
16+
<li>{{ obj }}</li>
1717
{% endfor %}
1818
</ul>
1919
{% else %}

django/contrib/admin/templates/admin/edit_inline_stacked.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{% load admin_modify %}
22
<fieldset class="module aligned">
33
{% for fcw in bound_related_object.form_field_collection_wrappers %}
4-
<h2>{{ bound_related_object.relation.opts.verbose_name|capfirst|escape }}&nbsp;#{{ forloop.counter }}</h2>
4+
<h2>{{ bound_related_object.relation.opts.verbose_name|capfirst }}&nbsp;#{{ forloop.counter }}</h2>
55
{% if bound_related_object.show_url %}{% if fcw.obj.original %}
66
<p><a href="/r/{{ fcw.obj.original.content_type_id }}/{{ fcw.obj.original.id }}/">View on site</a></p>
77
{% endif %}{% endif %}

django/contrib/admin/templates/admin/edit_inline_tabular.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
{% load admin_modify %}
22
<fieldset class="module">
3-
<h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst|escape }}</h2><table>
3+
<h2>{{ bound_related_object.relation.opts.verbose_name_plural|capfirst }}</h2><table>
44
<thead><tr>
55
{% for fw in bound_related_object.field_wrapper_list %}
66
{% if fw.needs_header %}
7-
<th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst|escape }}</th>
7+
<th{{ fw.header_class_attribute }}>{{ fw.field.verbose_name|capfirst }}</th>
88
{% endif %}
99
{% endfor %}
1010
</tr></thead>

django/contrib/admin/templates/admin/index.html

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,9 @@
1919
{% for model in app.models %}
2020
<tr>
2121
{% if model.perms.change %}
22-
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name|escape }}</a></th>
22+
<th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>
2323
{% else %}
24-
<th scope="row">{{ model.name|escape }}</th>
24+
<th scope="row">{{ model.name }}</th>
2525
{% endif %}
2626

2727
{% if model.perms.add %}
@@ -58,7 +58,7 @@ <h3>{% trans 'My Actions' %}</h3>
5858
{% else %}
5959
<ul class="actionlist">
6060
{% for entry in admin_log %}
61-
<li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr|escape }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{% filter capfirst|escape %}{% trans entry.content_type.name %}{% endfilter %}</span></li>
61+
<li class="{% if entry.is_addition %}addlink{% endif %}{% if entry.is_change %}changelink{% endif %}{% if entry.is_deletion %}deletelink{% endif %}">{% if not entry.is_deletion %}<a href="{{ entry.get_admin_url }}">{% endif %}{{ entry.object_repr|escape }}{% if not entry.is_deletion %}</a>{% endif %}<br /><span class="mini quiet">{% filter capfirst %}{% trans entry.content_type.name %}{% endfilter %}</span></li>
6262
{% endfor %}
6363
</ul>
6464
{% endif %}

django/contrib/admin/templates/admin/invalid_setup.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{% extends "admin/base_site.html" %}
22
{% load i18n %}
33

4-
{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title|escape }}</div>{% endblock %}
4+
{% block breadcrumbs %}<div class="breadcrumbs"><a href="../../">{% trans 'Home' %}</a> &rsaquo; {{ title }}</div>{% endblock %}
55

66
{% block content %}
77

0 commit comments

Comments
 (0)