Author: mtredinnick
Date: 2007-11-17 06:12:40 -0600 (Sat, 17 Nov 2007)
New Revision: 6683
Modified:
django/trunk/django/utils/html.py
django/trunk/tests/regressiontests/templates/filters.py
Log:
Fixed some missed auto-escaping and URL quoting cases in the urlize filter.
Modified: django/trunk/django/utils/html.py
===================================================================
--- django/trunk/django/utils/html.py 2007-11-17 12:12:18 UTC (rev 6682)
+++ django/trunk/django/utils/html.py 2007-11-17 12:12:40 UTC (rev 6683)
@@ -6,6 +6,7 @@
from django.utils.safestring import SafeData, mark_safe
from django.utils.encoding import force_unicode
from django.utils.functional import allow_lazy
+from django.utils.http import urlquote
# Configuration for urlize() function
LEADING_PUNCTUATION = ['(', '<', '<']
@@ -101,14 +102,24 @@
if middle.startswith('www.') or ('@' not in middle and not
middle.startswith('http://') and \
len(middle) > 0 and middle[0] in string.letters +
string.digits and \
(middle.endswith('.org') or middle.endswith('.net') or
middle.endswith('.com'))):
- middle = '<a href="http://%s"%s>%s</a>' % (middle,
nofollow_attr, trim_url(middle))
+ middle = '<a href="http://%s"%s>%s</a>' % (
+ urlquote(middle, safe='/&=:;#?+'), nofollow_attr,
+ trim_url(middle))
if middle.startswith('http://') or middle.startswith('https://'):
- middle = '<a href="%s"%s>%s</a>' % (middle, nofollow_attr,
trim_url(middle))
- if '@' in middle and not middle.startswith('www.') and not ':' in
middle \
- and simple_email_re.match(middle):
+ middle = '<a href="%s"%s>%s</a>' % (
+ urlquote(middle, safe='/&=:;#?+'), nofollow_attr,
+ trim_url(middle))
+ if '@' in middle and not middle.startswith('www.') and \
+ not ':' in middle and simple_email_re.match(middle):
middle = '<a href="mailto:%s";>%s</a>' % (middle, middle)
if lead + middle + trail != word:
words[i] = lead + middle + trail
+ elif autoescape and not safe_input:
+ words[i] = escape(word)
+ elif safe_input:
+ words[i] = mark_safe(word)
+ elif autoescape:
+ words[i] = escape(word)
return u''.join(words)
urlize = allow_lazy(urlize, unicode)
Modified: django/trunk/tests/regressiontests/templates/filters.py
===================================================================
--- django/trunk/tests/regressiontests/templates/filters.py 2007-11-17
12:12:18 UTC (rev 6682)
+++ django/trunk/tests/regressiontests/templates/filters.py 2007-11-17
12:12:40 UTC (rev 6683)
@@ -94,6 +94,11 @@
'filter-urlize03': ('{% autoescape off %}{{ a|urlize }}{%
endautoescape %}', {"a": mark_safe("a & b")}, 'a & b'),
'filter-urlize04': ('{{ a|urlize }}', {"a": mark_safe("a & b")},
'a & b'),
+ # This will lead to a nonsense result, but at least it won't be
+ # exploitable for XSS purposes when auto-escaping is on.
+ 'filter-urlize05': ('{% autoescape off %}{{ a|urlize }}{%
endautoescape %}', {"a": "<script>alert('foo')</script>"},
"<script>alert('foo')</script>"),
+ 'filter-urlize06': ('{{ a|urlize }}', {"a":
"<script>alert('foo')</script>"},
'<script>alert('foo')</script>'),
+
'filter-urlizetrunc01': ('{% autoescape off %}{{ a|urlizetrunc:"8" }}
{{ b|urlizetrunc:"8" }}{% endautoescape %}', {"a": "http://example.com/x=&y=";,
"b": mark_safe("http://example.com?x=&y=";)}, u'<a
href="http://example.com/x=&y="; rel="nofollow">http:...</a> <a
href="http://example.com?x=&y="; rel="nofollow">http:...</a>'),
'filter-urlizetrunc02': ('{{ a|urlizetrunc:"8" }} {{ b|urlizetrunc:"8"
}}', {"a": "http://example.com/x=&y=";, "b":
mark_safe("http://example.com?x=&y=";)}, u'<a href="http://example.com/x=&y=";
rel="nofollow">http:...</a> <a href="http://example.com?x=&y=";
rel="nofollow">http:...</a>'),
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
