Permalink
Browse files

fixed bug with static unicode strings and auto escaping

--HG--
branch : trunk
  • Loading branch information...
1 parent 4e6f9a2 commit 9cf9591ef788fcca284d9fc1b4997e2cb888e7f0 @mitsuhiko mitsuhiko committed May 24, 2008
Showing with 34 additions and 22 deletions.
  1. +14 −2 jinja2/compiler.py
  2. +1 −2 jinja2/environment.py
  3. +1 −2 jinja2/filters.py
  4. +1 −1 jinja2/lexer.py
  5. +0 −15 jinja2/nodes.py
  6. +4 −0 tests/test_ext.py
  7. +8 −0 tests/test_filters.py
  8. +5 −0 tests/test_security.py
View
@@ -15,7 +15,7 @@
from jinja2 import nodes
from jinja2.visitor import NodeVisitor, NodeTransformer
from jinja2.exceptions import TemplateAssertionError
-from jinja2.utils import Markup, concat
+from jinja2.utils import Markup, concat, escape
operators = {
@@ -1062,8 +1062,20 @@ def visit_Output(self, node, frame):
body = []
for child in node.nodes:
try:
- const = unicode(child.as_const())
+ const = child.as_const()
+ except nodes.Impossible:
+ body.append(child)
+ continue
+ try:
+ if self.environment.autoescape:
+ if hasattr(const, '__html__'):
+ const = const.__html__()
+ else:
+ const = escape(const)
+ const = unicode(const)
except:
+ # if something goes wrong here we evaluate the node
+ # at runtime for easier debugging
body.append(child)
continue
if body and isinstance(body[-1], list):
View
@@ -642,8 +642,7 @@ class TemplateStream(object):
def __init__(self, gen):
self._gen = gen
- self._next = gen.next
- self.buffered = False
+ self.disable_buffering()
def disable_buffering(self):
"""Disable the output buffering."""
View
@@ -578,8 +578,7 @@ def do_groupby(environment, value, attribute):
class _GroupTuple(tuple):
__slots__ = ()
- grouper = property(itemgetter(0))
- list = property(itemgetter(1))
+ grouper, list = (property(itemgetter(x)) for x in xrange(2))
def __new__(cls, (key, value)):
return tuple.__new__(cls, (key, list(value)))
View
@@ -195,7 +195,7 @@ def next_if(self, expr):
return self.next()
def skip_if(self, expr):
- """Like `next_if` but only returns `True` or `False`."""
+ """Like :meth:`next_if` but only returns `True` or `False`."""
return self.next_if(expr) is not None
def next(self):
View
@@ -251,21 +251,6 @@ class Output(Stmt):
"""
fields = ('nodes',)
- def optimized_nodes(self):
- """Try to optimize the nodes."""
- buffer = []
- for node in self.nodes:
- try:
- const = unicode(node.as_const())
- except:
- buffer.append(node)
- else:
- if buffer and isinstance(buffer[-1], unicode):
- buffer[-1] += const
- else:
- buffer.append(const)
- return buffer
-
class Extends(Stmt):
"""Represents an extends statement."""
View
@@ -66,3 +66,7 @@ def test_extension_nodes():
env = Environment(extensions=[TestExtension])
tmpl = env.from_string('{% test %}')
assert tmpl.render() == 'False|42|23|{}'
+
+
+def test_identifier():
+ assert TestExtension.identifier == __name__ + '.TestExtension'
View
@@ -308,3 +308,11 @@ def test_replace():
def test_forceescape(env):
tmpl = env.from_string('{{ x|forceescape }}')
assert tmpl.render(x=Markup('<div />')) == u'&lt;div /&gt;'
+
+
+def test_safe():
+ env = Environment(autoescape=True)
+ tmpl = env.from_string('{{ "<div>foo</div>"|safe }}')
+ assert tmpl.render() == '<div>foo</div>'
+ tmpl = env.from_string('{{ "<div>foo</div>" }}')
+ assert tmpl.render() == '&lt;div&gt;foo&lt;/div&gt;'
View
@@ -113,3 +113,8 @@ def __unicode__(self):
assert Markup(Foo()) == '<em>awesome</em>'
assert Markup('<strong>%s</strong>') % Foo() == \
'<strong><em>awesome</em></strong>'
+
+ # escaping and unescaping
+ assert escape('"<>&\'') == '&#34;&lt;&gt;&amp;&#39;'
+ assert Markup("<em>Foo &amp; Bar</em>").striptags() == "Foo & Bar"
+ assert Markup("&lt;test&gt;").unescape() == "<test>"

0 comments on commit 9cf9591

Please sign in to comment.