Author: mtredinnick
Date: 2007-11-19 19:37:16 -0600 (Mon, 19 Nov 2007)
New Revision: 6704
Modified:
django/trunk/django/views/debug.py
Log:
Fixed #5974 -- Added autoescaping for source code lines and local variables in
technical debug page.
Modified: django/trunk/django/views/debug.py
===================================================================
--- django/trunk/django/views/debug.py 2007-11-20 01:37:01 UTC (rev 6703)
+++ django/trunk/django/views/debug.py 2007-11-20 01:37:16 UTC (rev 6704)
@@ -422,11 +422,11 @@
{% if frame.context_line %}
<div class="context" id="c{{ frame.id }}">
{% if frame.pre_context %}
- <ol start="{{ frame.pre_context_lineno }}" class="pre-context"
id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{%
endfor %}</ol>
+ <ol start="{{ frame.pre_context_lineno }}" class="pre-context"
id="pre{{ frame.id }}">{% for line in frame.pre_context %}<li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape
}}</li>{% endfor %}</ol>
{% endif %}
- <ol start="{{ frame.lineno }}" class="context-line"><li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{
frame.context_line }} <span>...</span></li></ol>
+ <ol start="{{ frame.lineno }}" class="context-line"><li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{
frame.context_line|escape }} <span>...</span></li></ol>
{% if frame.post_context %}
- <ol start='{{ frame.lineno|add:"1" }}' class="post-context"
id="post{{ frame.id }}">{% for line in frame.post_context %}<li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line }}</li>{%
endfor %}</ol>
+ <ol start='{{ frame.lineno|add:"1" }}' class="post-context"
id="post{{ frame.id }}">{% for line in frame.post_context %}<li
onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')">{{ line|escape
}}</li>{% endfor %}</ol>
{% endif %}
</div>
{% endif %}
@@ -445,8 +445,8 @@
<tbody>
{% for var in frame.vars|dictsort:"0" %}
<tr>
- <td>{{ var.0 }}</td>
- <td class="code"><div>{{ var.1|pprint }}</div></td>
+ <td>{{ var.0|escape }}</td>
+ <td class="code"><div>{{ var.1|pprint|escape }}</div></td>
</tr>
{% endfor %}
</tbody>
@@ -466,7 +466,7 @@
{% for frame in frames %}
File "{{ frame.filename }}" in {{ frame.function }}<br/>
{% if frame.context_line %}
- {{ frame.lineno }}. {{ frame.context_line }}<br/>
+ {{ frame.lineno }}. {{ frame.context_line|escape }}<br/>
{% endif %}
{% endfor %}<br/>
{{ exception_type }} at {{ request.path|escape }}<br/>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
