Mark rendered output from template tags as safe.

Review Request #10485 — Created April 1, 2019 and submitted — Latest diff uploaded

Information

Review Board
release-4.0.x

Reviewers

Modern versions of Django distrust template tag output by default,
requiring instead that they mark their content as safe. This reduces the
chance of security problems from template tags that aren't intended to
produce HTML content.

To provide compatibility with both Django 1.6 and 1.11, we now mark
rendered content from all template tags as safe. Template tags that call
out to other render functions rely on the safety of those functions, so
there may still be some that need to be fixed in future changes.

Unit tests pass.

Diff Revision 1 (Latest)

Commits

First Last Summary ID Author
Mark rendered output from template tags as safe.
Modern versions of Django distrust template tag output by default, requiring instead that they mark their content as safe. This reduces the chance of security problems from template tags that aren't intended to produce HTML content. To provide compatibility with both Django 1.6 and 1.11, we now mark rendered content from all template tags as safe. Template tags that call out to other render functions rely on the safety of those functions, so there may still be some that need to be fixed in future changes.
0ea16574019544008a16b8fd6556407a5f36e6a0 Christian Hammond
reviewboard/diffviewer/templatetags/difftags.py
Revision d1328474cef6a628b792b7212f2da40c52551c29 New Change
373 lines
def diff_lines(index, chunk, standalone, line_fmt, anchor_fmt='',
374
            'moved_to_html': moved_to_html,
374
            'moved_to_html': moved_to_html,
375
        })
375
        })
376

    
   
376

   
377
        result.append(line_fmt % context)
377
        result.append(line_fmt % context)
378

    
   
378

   
379
    return ''.join(result)
379
    return mark_safe(''.join(result))
reviewboard/extensions/templatetags/rb_extensions.py
reviewboard/reviews/templatetags/reviewtags.py
Loading...