Commit ec371ace authored by Baptiste Mispelon's avatar Baptiste Mispelon
Browse files

Fixed #20650 -- Fixed {% filter %} incorrectly accepting 'escape' as argument 

Thanks to grzesiof for the report and to loic84 and Alex Gaynor
for the review.
parent b9178791

django/template/base.py

+1 −0
Original line number Diff line number Diff line
@@ -1101,6 +1101,7 @@ class Library(object): 
                    # for decorators that need it e.g. stringfilter

                    if hasattr(filter_func, "_decorated_function"):

                        setattr(filter_func._decorated_function, attr, value)

            filter_func._filter_name = name

            return filter_func

        else:

            raise InvalidTemplateLibrary("Unsupported arguments to "

django/template/defaulttags.py

+3 −2
Original line number Diff line number Diff line
@@ -665,8 +665,9 @@ def do_filter(parser, token): 
    _, rest = token.contents.split(None, 1)

    filter_expr = parser.compile_filter("var|%s" % (rest))

    for func, unused in filter_expr.filters:

        if getattr(func, '_decorated_function', func).__name__ in ('escape', 'safe'):

            raise TemplateSyntaxError('"filter %s" is not permitted.  Use the "autoescape" tag instead.' % func.__name__)

        filter_name = getattr(func, '_filter_name', None)

        if filter_name in ('escape', 'safe'):

            raise TemplateSyntaxError('"filter %s" is not permitted.  Use the "autoescape" tag instead.' % filter_name)

    nodelist = parser.parse(('endfilter',))

    parser.delete_first_token()

    return FilterNode(filter_expr, nodelist)

tests/template_tests/tests.py

+4 −0
Original line number Diff line number Diff line
@@ -854,6 +854,10 @@ class TemplateTests(TransRealMixin, TestCase): 
            'filter02': ('{% filter upper %}django{% endfilter %}', {}, 'DJANGO'),

            'filter03': ('{% filter upper|lower %}django{% endfilter %}', {}, 'django'),

            'filter04': ('{% filter cut:remove %}djangospam{% endfilter %}', {'remove': 'spam'}, 'django'),

            'filter05': ('{% filter safe %}fail{% endfilter %}', {}, template.TemplateSyntaxError),

            'filter05bis': ('{% filter upper|safe %}fail{% endfilter %}', {}, template.TemplateSyntaxError),

            'filter06': ('{% filter escape %}fail{% endfilter %}', {}, template.TemplateSyntaxError),

            'filter06bis': ('{% filter upper|escape %}fail{% endfilter %}', {}, template.TemplateSyntaxError),



            ### FIRSTOF TAG ###########################################################

            'firstof01': ('{% firstof a b c %}', {'a':0,'b':0,'c':0}, ''),