Ticket #6049: 6721_tests.diff

tests/regressiontests/templates/filters.py

@@ -12 +12 @@
 from django.utils.tzinfo import LocalTimezone
 from django.utils.safestring import mark_safe
 
+class UnsafeClass:
+    "Class whose __unicode__ returns unsafe html"
+    def __unicode__(self):
+        return u'you & me'
+
+class SafeClass:
+    "Class whose __unicode__ returns html marked as safe"
+    def __unicode__(self):
+        return mark_safe(u'you > me')
+
 # RESULT SYNTAX --
 # 'template_name': ('template contents', 'context dict',
 #                   'expected string output' or Exception class)
@@ -227 +237 @@
         'chaining12': ('{% autoescape off %}{{ a|cut:"b"|safe }}{% endautoescape %}', {"a": "a < b"}, "a < "),
         'chaining13': ('{{ a|safe|force_escape }}', {"a": "a < b"}, "a &lt; b"),
         'chaining14': ('{% autoescape off %}{{ a|safe|force_escape }}{% endautoescape %}', {"a": "a < b"}, "a &lt; b"),
+
+        # Filters decorated with stringfilter still respect is_safe. 
+        'autoescape-stringfilter01': (r'{{ unsafe|capfirst }}', {'unsafe': UnsafeClass()}, 'You &amp; me'),
+        'autoescape-stringfilter02': (r'{% autoescape off %}{{ unsafe|capfirst }}{% endautoescape %}', {'unsafe': UnsafeClass()}, 'You & me'),
+        'autoescape-stringfilter03': (r'{{ safe|capfirst }}', {'safe': SafeClass()}, 'You &gt; me'),
+        'autoescape-stringfilter04': (r'{% autoescape off %}{{ safe|capfirst }}{% endautoescape %}', {'safe': SafeClass()}, 'You &gt; me'),
     }

tests/regressiontests/templates/tests.py

@@ -80 +80 @@
     def __str__(self):
         return u'ŠĐĆŽćžšđ'.encode('utf-8')
 
+class UnsafeClass:
+    "Class whose __unicode__ returns unsafe html"
+    def __unicode__(self):
+        return u'you & me'
+
+class SafeClass:
+    "Class whose __unicode__ returns html marked as safe"
+    def __unicode__(self):
+        return mark_safe(u'you > me')
+
 class Templates(unittest.TestCase):
     def test_loaders_security(self):
         def test_template_sources(path, template_dirs, expected_sources):
@@ -899 +909 @@
 
             # Literal string arguments to filters, if used in the result, are
             # safe.
-            'basic-syntax08': (r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}', {"var": None}, ' endquote" hah'),
+            'autoescape-tag08': (r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}', {"var": None}, ' endquote" hah'),
 
+            # Objects which return safe strings as their __unicode__ method
+            # won't get double-escaped.
+            'autoescape-tag09': (r'{{ unsafe }}', {'unsafe': UnsafeClass()}, 'you & me'),
+            'autoescape-tag10': (r'{{ safe }}', {'safe': SafeClass()}, 'you > me'),
+
             # The "safe" and "escape" filters cannot work due to internal
             # implementation details (fortunately, the (no)autoescape block
             # tags can be used in those cases)

django/template/defaultfilters.py

@@ -25 +25 @@
         if args:
             args = list(args)
             args[0] = force_unicode(args[0])
-        if isinstance(args[0], SafeData) and getattr(func, 'is_safe', False):
-            return mark_safe(func(*args, **kwargs))
+            # If a first argument is a safe string, ensure the is_safe handling
+            # will work as expected.
+            if isinstance(args[0], SafeData) and getattr(func, 'is_safe', False):
+                return mark_safe(func(*args, **kwargs))
         return func(*args, **kwargs)
 
     # Include a reference to the real function (used to check original