cycle tag is not safe

[Stephen Kelly]

In [1]: from django.template import Template, Context
In [3]: t = Template("{% cycle one two as foo %} {% cycle foo %}")
In [5]: c = Context({"one" : "A & B", "two": "C & D"})
In [6]: t.render(c)
Out[6]: u'A & B C & D'

This is likely fixed by using _render_value_in_context() in the implementation of the cycle node render method.

[Matt McClanahan]

I don't see a bug here. You might be misunderstanding how the cycle tag works.

[Stephen Kelly]

It's strange that you don't see the bug. The variable is written to the output unescaped.

What do you think I'm missing about how cycle works?

In [1]: from django.template import Template, Context

In [2]: t = Template("{{ one }}, {{ two }}, {% cycle one two as foo %}, {% cycle foo %}")

In [4]: c = Context({"one": "A & B", "two": "C & D"})

In [5]: t.render(c)
Out[5]: u'A & B, C & D, A & B, C & D'

[Luke Plant]

There is no bug, because the cycle tag is not supposed to escape its output, in common with other template tags. This is clearly explained in ​the documentation.

[Stephen Kelly]

Tests for documented behaviour

[Stephen Kelly]

I have uploaded a new patch for tests of the existing behavior instead of changing it.

[Russell Keith-Magee]

Valid tests for the documented behavior.

[Russell Keith-Magee]

(In [15335]) Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

[Russell Keith-Magee]

(In [15338]) [1.2.X] Fixed #14818 -- Added explicit tests for the way that the cycle tag handles escaping. Thanks to steveire.

Backport of r15335 from trunk.