Author: mtredinnick
Date: 2008-08-26 02:56:32 -0500 (Tue, 26 Aug 2008)
New Revision: 8577
Modified:
django/trunk/django/template/defaultfilters.py
django/trunk/tests/regressiontests/templates/filters.py
Log:
Fixed #7177 -- Added extra robustness to the escapejs filter so that all
invalid characters are correctly escaped. This avoids any chance to inject raw
HTML inside <script> tags. Thanks to Mike Wiacek for the patch and Collin Grady
for the tests.
Modified: django/trunk/django/template/defaultfilters.py
===================================================================
--- django/trunk/django/template/defaultfilters.py 2008-08-26 07:43:59 UTC
(rev 8576)
+++ django/trunk/django/template/defaultfilters.py 2008-08-26 07:56:32 UTC
(rev 8577)
@@ -62,20 +62,24 @@
capfirst.is_safe=True
capfirst = stringfilter(capfirst)
-_js_escapes = (
- ('\\', '\\\\'),
- ('"', '\\"'),
- ("'", "\\'"),
- ('\n', '\\n'),
- ('\r', '\\r'),
- ('\b', '\\b'),
- ('\f', '\\f'),
- ('\t', '\\t'),
- ('\v', '\\v'),
- ('</', '<\\/'),
+_base_js_escapes = (
+ ('\\', r'\x5C'),
+ ('\'', r'\x27'),
+ ('"', r'\x22'),
+ ('>', r'\x3E'),
+ ('<', r'\x3C'),
+ ('&', r'\x26'),
+ ('=', r'\x3D'),
+ ('-', r'\x2D'),
+ (';', r'\x3B')
)
+
+# Escape every ASCII character with a value less than 32.
+_js_escapes = (_base_js_escapes +
+ tuple([('%c' % z, '\\x%02X' % z) for z in range(32)]))
+
def escapejs(value):
- """Backslash-escapes characters for use in JavaScript strings."""
+ """Hex encodes characters for use in JavaScript strings."""
for bad, good in _js_escapes:
value = value.replace(bad, good)
return value
Modified: django/trunk/tests/regressiontests/templates/filters.py
===================================================================
--- django/trunk/tests/regressiontests/templates/filters.py 2008-08-26
07:43:59 UTC (rev 8576)
+++ django/trunk/tests/regressiontests/templates/filters.py 2008-08-26
07:56:32 UTC (rev 8577)
@@ -262,5 +262,8 @@
'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst
}}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe':
SafeClass()}, 'You > me'),
'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst
}}{% endautoescape %}', {'safe': SafeClass()}, 'You > me'),
+
+ 'escapejs01': (r'{{ a|escapejs }}', {'a': 'testing\r\njavascript
\'string" <b>escaping</b>'}, 'testing\\x0D\\x0Ajavascript \\x27string\\x22
\\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
+ 'escapejs02': (r'{% autoescape off %}{{ a|escapejs }}{% endautoescape
%}', {'a': 'testing\r\njavascript \'string" <b>escaping</b>'},
'testing\\x0D\\x0Ajavascript \\x27string\\x22 \\x3Cb\\x3Eescaping\\x3C/b\\x3E'),
}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
