Fixed #24464 -- Made built-in HTML template filter functions escape their input by default.

@register.filter(is_safe=True, needs_autoescape=True)

@stringfilter

def linenumbers(value, autoescape=None):

def linenumbers(value, autoescape=True):

    """Displays text with line numbers."""

    lines = value.split('\n')

    # Find the maximum width of the line count, for use with zero padding

@register.filter(is_safe=True, needs_autoescape=True)

@stringfilter

def urlize(value, autoescape=None):

def urlize(value, autoescape=True):

    """Converts URLs in plain text into clickable links."""

    return mark_safe(_urlize(value, nofollow=True, autoescape=autoescape))

@register.filter(is_safe=True, needs_autoescape=True)

@stringfilter

def urlizetrunc(value, limit, autoescape=None):

def urlizetrunc(value, limit, autoescape=True):

    """

    Converts URLs into clickable links, truncating URLs to the given character

    limit, and adding 'rel=nofollow' attribute to discourage spamming.

@register.filter("linebreaks", is_safe=True, needs_autoescape=True)

@stringfilter

def linebreaks_filter(value, autoescape=None):

def linebreaks_filter(value, autoescape=True):

    """

    Replaces line breaks in plain text with appropriate HTML; a single

    newline becomes an HTML line break (``<br />``) and a new line

@register.filter(is_safe=True, needs_autoescape=True)

@stringfilter

def linebreaksbr(value, autoescape=None):

def linebreaksbr(value, autoescape=True):

    """

    Converts all newlines in a piece of plain text to HTML line breaks

    (``<br />``).

@register.filter(is_safe=True, needs_autoescape=True)

def join(value, arg, autoescape=None):

def join(value, arg, autoescape=True):

    """

    Joins a list with a string, like Python's ``str.join(list)``.

    """

@register.filter(is_safe=True, needs_autoescape=True)

def unordered_list(value, autoescape=None):

def unordered_list(value, autoescape=True):

    """

    Recursively takes a self-nested list and returns an HTML unordered list --

    WITHOUT opening and closing <ul> tags.

   (If you don't specify this flag, it defaults to ``False``). This flag tells

   Django that your filter function wants to be passed an extra keyword

   argument, called ``autoescape``, that is ``True`` if auto-escaping is in

   effect and ``False`` otherwise.

   effect and ``False`` otherwise. It is recommended to set the default of the

   ``autoescape`` parameter to ``True``, so that if you call the function

   from Python code it will have escaping enabled by default.

   For example, let's write a filter that emphasizes the first character of

   a string::

      register = template.Library()

      @register.filter(needs_autoescape=True)

      def initial_letter_filter(text, autoescape=None):

      def initial_letter_filter(text, autoescape=True):

          first, other = text[0], text[1:]

          if autoescape:

              esc = conditional_escape

.. warning:: Avoiding XSS vulnerabilities when reusing built-in filters

    Be careful when reusing Django's built-in filters. You'll need to pass

    ``autoescape=True`` to the filter in order to get the proper autoescaping

    behavior and avoid a cross-site script vulnerability.

    .. versionchanged:: 1.8

    Django's built-in filters have ``autoescape=True`` by default in order to

    get the proper autoescaping behavior and avoid a cross-site script

    vulnerability.

    In older versions of Django, be careful when reusing Django's built-in

    filters as ``autoescape`` defaults to ``None``. You'll need to pass

    ``autoescape=True`` to get autoescaping.

    For example, if you wanted to write a custom filter called

    ``urlize_and_linebreaks`` that combined the :tfilter:`urlize` and

        from django.template.defaultfilters import linebreaksbr, urlize

        @register.filter

        def urlize_and_linebreaks(text):

            return linebreaksbr(urlize(text, autoescape=True), autoescape=True)

        @register.filter(needs_autoescape=True)

        def urlize_and_linebreaks(text, autoescape=True):

            return linebreaksbr(

                urlize(text, autoescape=autoescape),

                autoescape=autoescape

            )

    Then:

  now takes a second argument named ``obj_id`` which is the serialized

  identifier used to retrieve the object before deletion.

Default autoescaping of functions in ``django.template.defaultfilters``

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In order to make built-in template filters that output HTML "safe by default"

when calling them in Python code, the following functions in

``django.template.defaultfilters`` have been changed to automatically escape

their input value:

* ``join``

* ``linebreaksbr``

* ``linebreaks_filter``

* ``linenumbers``

* ``unordered_list``

* ``urlize``

* ``urlizetrunc``

You can revert to the old behavior by specifying ``autoescape=False`` if you

are passing trusted content. This change doesn't have any effect when using

the corresponding filters in templates.

Miscellaneous

~~~~~~~~~~~~~

    def test_list(self):

        self.assertEqual(join([0, 1, 2], 'glue'), '0glue1glue2')

    def test_autoescape(self):

        self.assertEqual(

            join(['<a>', '<img>', '</a>'], '<br>'),

            '<a><br><img><br></a>',

        )

    def test_autoescape_off(self):

        self.assertEqual(

            join(['<a>', '<img>', '</a>'], '<br>', autoescape=False),

            '<a>&lt;br&gt;<img>&lt;br&gt;</a>',

        )

    def test_non_string_input(self):

        self.assertEqual(linebreaks_filter(123), '<p>123</p>')

    def test_autoescape(self):

        self.assertEqual(

            linebreaks_filter('foo\n<a>bar</a>\nbuz'),

            '<p>foo<br />&lt;a&gt;bar&lt;/a&gt;<br />buz</p>',

        )

    def test_autoescape_off(self):

        self.assertEqual(

            linebreaks_filter('foo\n<a>bar</a>\nbuz', autoescape=False),

            '<p>foo<br /><a>bar</a><br />buz</p>',

        )