Escaping of JSON attributes and CVE-2024-42005

Hi! Regarding the .values() problem with JSON fields, has anyone as of yet thought about how escaping of attribute names in JSON fields is supposed to work? We are using a JSON field to store user-defined extension fields. So say the user wants a "foo" text field. Then we'd store: o.data =

Re: Cross-DB JSONField ready for review

fredag den 2. august 2019 kl. 13.46.46 UTC+2 skrev Sage M.A.: > > As a follow-up to this message > > and this ticket , I have > completed the implementation of a cross-

NULLs taking up space in foreign key indexes

Hi! I recently noticed that the default indexes that Django generates for foreign keys also index NULL values, at least for PostgreSQL. Is this on purpose? >From my digging, it looks like PostgreSQL used to exclude NULL values from the index, but not since some years. It's relatively easy to s

Annotate after filter joins - is this a bug?

Hi! I was reading the ORM documentation about annotate and aliases. Given class Paper(models.Model): pass class Author(models.Model): paper = models.ForeignKey(Paper, on_delete=models.CASCADE) name = models.CharField(max_length=100) and the query Paper.objects.filter(author_

Re: QueryDict and ordering

2018-01-05 19:24 GMT+01:00 Tim Graham : > Preservation of dict ordering is guaranteed in Python 3.7+ so that > officially fixes this, correct? > https://mail.python.org/pipermail/python-dev/2017-December/151283.html Sure, I can wait for that. Sorry for the noise, I should read that list more often

Re: QueryDict and ordering

2018-01-05 17:12 GMT+01:00 Tim Graham : > Hi, Did you try writing a patch? I naively tried "class > MultiValueDict(OrderedDict):" as the only change and it doesn't pass the > tests. Perhaps more adaptations are required. Tried just now, and yeah it takes a little more adaptation. MultiValueDict is

QueryDict and ordering

Hi! Would it be possible to derive QueryDict (i.e. MultiValueDict) from an OrderedDict instead of dict? I'm finding it increasingly irritating that the original order is kept by the whole stack right until Django puts it into a dict. It makes some highly dynamic form situations more tedious to

Re: django.core.signing and safe characters

2017-06-21 15:26 GMT+02:00 Florian Apolloner : > Sorry I've mixed it up with with encodeURI. encodeURIComponent takes the > "safe" route and escapes everything (at least as far as I understand it) > because it does not know where the component (unless "component" itself has > a sepcific meaning tha

Re: django.core.signing and safe characters

Hi again! I'm sorry if I gave the impression that I'm trying to nitpick adherence to a standard. There was some discussion about it in the comments in the link I provided, and it looks like there are different interpretations, but that's not what I'm interested in. What I'm addressing here is spe

django.core.signing and safe characters

Hi! Maybe this has no practical implications, but this has been bugging me for a couple of years now, ever since I started using django.core.signing to generate tokens: if you take a look at https://github.com/django/django/blob/master/django/core/signing.py the comment at the top says T

Re: A.objects.getdefault

On Friday, October 12, 2012 3:35:53 PM UTC+2, Chris Wilson wrote: > > I'm strongly in favour of a simple, obvious way to do the common thing, > which is to return None if the object doesn't exist, instead of throwing > an exception. My preferred method names would be .nget(), .get_or_none() > or

Re: A.objects.getdefault

On Tuesday, October 9, 2012 7:15:55 PM UTC+2, ptone wrote: > > Earlier discussion > > https://groups.google.com/forum/?fromgroups=#!topic/django-developers/Saa5nbzqQ2Q > This was the thread I referred to. If was from 2006 and ended up being about something else. > tickets: > https://code.djang

A.objects.getdefault

Hi! What do people think of A.objects.getdefault(slug="hello") # returns None if slug doesn't exist A.objects.getdefault(slug="hello", default=A()) # returns empty object if slug doesn't exist I find that in practice, most of the time it would be better to get None back instead of the Do

Re: Suppressed template errors in admin

On 6 Sep., 09:17, Thomas Guettler wrote: > Ole, can you please set up a a branch at github or bitbucket? Eh, is that not overkill? I don't think discussing this is worth anyone's time. No need to promise anything or elevate this to a Big Decision as long as it's about trivial non-intrusive fixes

Re: Suppressed template errors in admin

On 25 Aug., 06:19, h3 wrote: > I'm not sure suppressing templates errors for the admin is such a > great idea. The suggestion on the table is to fix the couple of places where admin is sloppy and doesn't include all the variables it uses in the context. Normally you don't see this because this ki

Re: Suppressed template errors in admin

On 25 Aug., 01:39, Russell Keith-Magee wrote: > On principle, I have no objection to the idea of making the admin > templates more robust in the presence of TEMPLATE_STRING_IF_INVALID; > adding dummy values in the context sounds like a reasonable approach > -- *if* doing this doesn't undermine bro

Suppressed template errors in admin

Hi! I have a project where setting TEMPLATE_STRING_IF_INVALID has been invaluable in finding problems (for various reasons). The caveat mentioned in the docs don't kick in here because no templates are inherited from elsewhere. Except the admin which unfortunately breaks down in some places. I re

Re: Decision for ticket #6362 - Remove blank spaces with strip when validating the data

On Jul 4, 4:52 pm, Jacob Kaplan-Moss wrote: > On Mon, Jul 4, 2011 at 12:13 AM, Ryan wrote: > > Umm... How about now? > > Sorry, but this isn't going to happen. I left more information on the > ticket:https://code.djangoproject.com/ticket/6362#comment:43. It sounds like you've never been bitten b

Simple suggestion (forms and fields with dynamic parameters)

Hi! I have an application where I need a field for selecting between some predefined options that are dynamic up to the point where the form is instantiated. So I've used a TypedChoiceField and overwritten __init__ on the form (not the field) to set the choices based on a database lookup and some

Need a little help on #6552: admin + GA = broken upstream caching on all pages

Hi! If a core developer would take a look at http://code.djangoproject.com/ticket/6552 and indicate whether the approach is the right one, that would be great. Short version of the story: using django.core.context_processors.auth is the same as saying "all pages depend on who is currently logg

Re: FileFields and file ownership

On Aug 11, 1:39 pm, Ole Laursen wrote: >   1) a convenient file pointer for facilitating the upload machinery >   2) a field for storing a file, just like storing it directly in the > database except we put the data in the file system No conclusion? Here are some options 1. Apply the

Re: FileFields and file ownership

On Aug 12, 5:08 am, Malcolm Tredinnick wrote: > This is an assumption that isn't universally correct and it's > implications appear to be vastly under-appreciated. One of the reasons > we *don't* delete files automatically is that you cannot you know for > certain, given no other information, tha

FileFields and file ownership

Hi! There are a couple of bugs open/closed about what happens when you upload a new file to a file field that already has a file: http://code.djangoproject.com/ticket/11663 http://code.djangoproject.com/ticket/2983 http://code.djangoproject.com/ticket/4339 Progress is currently halted bec

Re: Absolute paths in settings.py

On 30 Okt., 22:55, "Valts Mazurs" <[EMAIL PROTECTED]> wrote: > There should be significantly greater number of Django projects that are > deployed without any fancy stuff involved. > Anyway, if someone wants to deploy his project as egg it would be easy to > just change "PROJECT_DIR =.." as all ot

Absolute paths in settings.py

Hi, There are a couple of things in settings.py that require an absolute path. I don't know about you, but I tend to put all things related to a project in subdirectories under the project directory. Thus all the absolute paths have the same prefix, the project directory. Rather than going trough