Correctly handle safety in TemplateHooks, extension bundles, privacy widget.

Review Request #10643 — Created July 23, 2019 and submitted

chipx86
Djblets
release-2.0.x
f70af0b...
djblets

Django 1.6 trusted strings coming from template tags, meaning that it
wouldn't escape any content returned. In modern versions, it no longer
trusts unless the string is marked as safe. This broke TemplateHook
rendering and CSS/JS bundles for extensions.

We no longer naively join strings. Instead, we use format_html_join to
merge together any results in a way that guarantees safety of input
strings and the resulting string. This shouldn't impact any extensions,
unless they have a custom TemplateHook that overrides rendering in a
way that does not use templates (in which case, they'll have to update
their code accordingly).

MultiConstentRequirementsWidget has also received the same update,
though it didn't actually have a problem before, as widgets return safe
content. However, if a custom widget were used that did not, it would
benefit from this as well.

Unit tests pass for Django 1.6 and 1.11.

david
  1. Ship It!
  2. 
      
chipx86
Review request changed

Status: Closed (submitted)

Change Summary:

Pushed to release-2.0.x (080996b)
Loading...