Correctly handle safety in TemplateHooks, extension bundles, privacy widget.
Review Request #10643 — Created July 23, 2019 and submitted — Latest diff uploaded
Django 1.6 trusted strings coming from template tags, meaning that it
wouldn't escape any content returned. In modern versions, it no longer
trusts unless the string is marked as safe. This brokeTemplateHook
rendering and CSS/JS bundles for extensions.We no longer naively join strings. Instead, we use
format_html_join
to
merge together any results in a way that guarantees safety of input
strings and the resulting string. This shouldn't impact any extensions,
unless they have a customTemplateHook
that overrides rendering in a
way that does not use templates (in which case, they'll have to update
their code accordingly).
MultiConstentRequirementsWidget
has also received the same update,
though it didn't actually have a problem before, as widgets return safe
content. However, if a custom widget were used that did not, it would
benefit from this as well.
Unit tests pass for Django 1.6 and 1.11.