Skip to content

Commit 972a9c7

Browse files
jacobianjacobian
committed
[1.2.X] Fixed #11377: the template join filter now correctly escapes the joiner, too.
Thanks, Stephen Kelly. Backport of [13464] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@13465 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent 4441f7b commit 972a9c7

File tree

2 files changed

+9
-4
lines changed

2 files changed

+9
-4
lines changed

django/template/defaultfilters.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,10 @@
1111
from django.template import Variable, Library
1212
from django.conf import settings
1313
from django.utils import formats
14-
from django.utils.translation import ugettext, ungettext
1514
from django.utils.encoding import force_unicode, iri_to_uri
15+
from django.utils.html import conditional_escape
1616
from django.utils.safestring import mark_safe, SafeData
17+
from django.utils.translation import ugettext, ungettext
1718

1819
register = Library()
1920

@@ -496,10 +497,9 @@ def join(value, arg, autoescape=None):
496497
"""
497498
value = map(force_unicode, value)
498499
if autoescape:
499-
from django.utils.html import conditional_escape
500500
value = [conditional_escape(v) for v in value]
501501
try:
502-
data = arg.join(value)
502+
data = conditional_escape(arg).join(value)
503503
except AttributeError: # fail silently but nicely
504504
return value
505505
return mark_safe(data)

tests/regressiontests/templates/filters.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -328,7 +328,12 @@ def get_filter_tests():
328328
'join03': (r'{{ a|join:" & " }}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
329329
'join04': (r'{% autoescape off %}{{ a|join:" & " }}{% endautoescape %}', {'a': ['alpha', 'beta & me']}, 'alpha & beta & me'),
330330

331-
331+
# Test that joining with unsafe joiners don't result in unsafe strings (#11377)
332+
'join05': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': ' & '}, 'alpha & beta & me'),
333+
'join06': (r'{{ a|join:var }}', {'a': ['alpha', 'beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
334+
'join07': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': ' & ' }, 'alpha & beta & me'),
335+
'join08': (r'{{ a|join:var|lower }}', {'a': ['Alpha', 'Beta & me'], 'var': mark_safe(' & ')}, 'alpha & beta & me'),
336+
332337
'date01': (r'{{ d|date:"m" }}', {'d': datetime(2008, 1, 1)}, '01'),
333338
'date02': (r'{{ d|date }}', {'d': datetime(2008, 1, 1)}, 'Jan. 1, 2008'),
334339
#Ticket 9520: Make sure |date doesn't blow up on non-dates

0 commit comments

Comments
 (0)