def test_mark_for_escaping_lazy(self):
s = lazystr('a&b')
b = lazybytes(b'a&b')
self.assertIsInstance(mark_for_escaping(s), EscapeData)
self.assertIsInstance(mark_for_escaping(b), EscapeData)
self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s))
def dropdown_items(self):
submenu_context = [
format_submenu_context(_("Reports"), is_header=True),
format_submenu_context(_("Admin Reports"),
url=reverse("default_admin_report")),
format_submenu_context(_("System Info"),
url=reverse("system_info")),
format_submenu_context(_("Management"), is_header=True),
format_submenu_context(mark_for_escaping(
_("ADM Reports & Columns")),
url=reverse("default_adm_admin_interface")),
# format_submenu_context(mark_for_escaping("HQ Announcements"),
# url=reverse("default_announcement_admin")),
]
try:
submenu_context.append(
format_submenu_context(mark_for_escaping(_("Billing")),
url=reverse("billing_default")))
except Exception:
pass
submenu_context.extend([
format_submenu_context(None, is_divider=True),
format_submenu_context(_("Django Admin"), url="/admin")
])
return submenu_context
def test_mark_for_escaping_lazy(self):
s = lazystr("a&b")
b = lazybytes(b"a&b")
self.assertIsInstance(mark_for_escaping(s), EscapeData)
self.assertIsInstance(mark_for_escaping(b), EscapeData)
self.assertRenderEqual("{% autoescape off %}{{ s }}{% endautoescape %}", "a&b", s=mark_for_escaping(s))
def dropdown_items(self):
submenu_context = [
format_submenu_context(_("Reports"), is_header=True),
format_submenu_context(_("Admin Reports"), url=reverse("default_admin_report")),
format_submenu_context(_("System Info"), url=reverse("system_info")),
format_submenu_context(_("Management"), is_header=True),
format_submenu_context(mark_for_escaping(_("ADM Reports & Columns")),
url=reverse("default_adm_admin_interface")),
format_submenu_context(mark_for_escaping(_("Commands")), url=reverse("management_commands")),
# format_submenu_context(mark_for_escaping("HQ Announcements"),
# url=reverse("default_announcement_admin")),
]
try:
if AccountingTab(self._request, self._current_url_name).is_viewable:
submenu_context.append(format_submenu_context(AccountingTab.title, url=reverse('accounting_default')))
except Exception:
pass
try:
submenu_context.append(format_submenu_context(mark_for_escaping(_("Old SMS Billing")),
url=reverse("billing_default")))
except Exception:
pass
submenu_context.extend([
format_submenu_context(_("SMS Connectivity"), url=reverse("default_sms_admin_interface")),
format_submenu_context(_("Feature Flags"), url=reverse("toggle_list")),
format_submenu_context(None, is_divider=True),
format_submenu_context(_("Django Admin"), url="/admin")
])
return submenu_context
def dropdown_items(self):
submenu_context = [
format_submenu_context(_("Reports"), is_header=True),
format_submenu_context(_("Admin Reports"), url=reverse("default_admin_report")),
format_submenu_context(_("System Info"), url=reverse("system_info")),
format_submenu_context(_("Management"), is_header=True),
format_submenu_context(mark_for_escaping(_("ADM Reports & Columns")),
url=reverse("default_adm_admin_interface")),
format_submenu_context(mark_for_escaping(_("Commands")), url=reverse("management_commands")),
# format_submenu_context(mark_for_escaping("HQ Announcements"),
# url=reverse("default_announcement_admin")),
]
try:
if AccountingTab(self._request, self._current_url_name).is_viewable:
submenu_context.append(format_submenu_context(AccountingTab.title, url=reverse('accounting_default')))
except Exception:
pass
try:
submenu_context.append(format_submenu_context(mark_for_escaping(_("Old SMS Billing")),
url=reverse("billing_default")))
except Exception:
pass
submenu_context.extend([
format_submenu_context(_("SMS Connectivity"), url=reverse("default_sms_admin_interface")),
format_submenu_context(_("Feature Flags"), url=reverse("toggle_list")),
format_submenu_context(None, is_divider=True),
format_submenu_context(_("Django Admin"), url="/admin")
])
return submenu_context
def dropdown_items(self):
submenu_context = [
format_submenu_context(_("Reports"), is_header=True),
format_submenu_context(_("Admin Reports"), url=reverse("default_admin_report")),
format_submenu_context(_("System Info"), url=reverse("system_info")),
format_submenu_context(_("Management"), is_header=True),
format_submenu_context(
mark_for_escaping(_("ADM Reports & Columns")), url=reverse("default_adm_admin_interface")
),
format_submenu_context(mark_for_escaping(_("Commands")), url=reverse("management_commands")),
# format_submenu_context(mark_for_escaping("HQ Announcements"),
# url=reverse("default_announcement_admin")),
]
try:
submenu_context.append(
format_submenu_context(mark_for_escaping(_("Billing")), url=reverse("billing_default"))
)
except Exception:
pass
submenu_context.extend(
[
format_submenu_context(_("SMS Connectivity"), url=reverse("default_sms_admin_interface")),
format_submenu_context(None, is_divider=True),
format_submenu_context(_("Django Admin"), url="/admin"),
]
)
return submenu_context
def make_app_title(cls, app_name, doc_type):
return mark_safe(
"%s%s"
% (
mark_for_escaping(app_name or "(Untitled)"),
mark_for_escaping(" (Remote)" if doc_type == "RemoteApp" else ""),
)
)
def dropdown_items(self):
# todo async refresh submenu when on the applications page and you change the application name
key = [self.domain]
apps = get_db().view(
'app_manager/applications_brief',
reduce=False,
startkey=key,
endkey=key + [{}],
stale=settings.COUCH_STALE_QUERY,
).all()
submenu_context = []
if not apps:
return submenu_context
submenu_context.append(
format_submenu_context(_('My Applications'), is_header=True))
for app in apps:
app_info = app['value']
if app_info:
url = reverse('view_app', args=[self.domain, app_info['_id']])
app_name = mark_safe("%s%s" % (
mark_for_escaping(app_info['name'] or '(Untitled)'),
mark_for_escaping(' (Remote)' if app_info['doc_type'] ==
'RemoteApp' else ''),
))
submenu_context.append(
format_submenu_context(app_name, url=url))
if self.couch_user.can_edit_apps():
submenu_context.append(
format_submenu_context(None, is_divider=True))
newapp_options = [
format_submenu_context(None,
html=self._new_app_link(
_('Blank Application'))),
format_submenu_context(
None,
html=self._new_app_link(
_('RemoteApp (Advanced Users Only)'), is_remote=True)),
]
newapp_options.append(
format_submenu_context(
_('Visit CommCare Exchange to copy existing app...'),
url=reverse('appstore')))
submenu_context.append(
format_second_level_context(_('New Application...'), '#',
newapp_options))
return submenu_context
def view_results(request, query):
""" searches welbornprod content and returns the findings. """
# search is okay until it's ran through our little 'gotcha' checker below.
results_list, results_slice = ([], [])
search_warning = searchtools.valid_query(query)
if not search_warning:
# search terms are okay, let's do it.
results_list = searchtools.search_all(query)
results_slice = utilities.slice_list(
results_list,
start=0,
max_items=25)
context = {
'search_warning': search_warning,
'results_list': results_slice,
'query_text': query,
'query_safe': mark_for_escaping(query),
'results_count': len(results_list)
}
return responses.clean_response(
'searcher/results.html',
context=context,
request=request)
def resolve(self, context, ignore_failures=False):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
if settings.TEMPLATE_STRING_IF_INVALID:
global invalid_var_format_string
if invalid_var_format_string is None:
invalid_var_format_string = '%s' in settings.TEMPLATE_STRING_IF_INVALID
if invalid_var_format_string:
return settings.TEMPLATE_STRING_IF_INVALID % self.var
return settings.TEMPLATE_STRING_IF_INVALID
else:
obj = settings.TEMPLATE_STRING_IF_INVALID
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
obj = mark_for_escaping(new_obj)
else:
obj = new_obj
return obj
def user_delete(request, up, **kwargs):
# Check we're not doing this from a GET request
if request.method != 'POST':
return direct_to_template(request, 'vns/confirm.html',
{'title': 'Delete user %s' % up.user.username,
'button': 'Delete %s' % up.user.username,
'url': '/user/%s/delete/' % up.user.username})
# Mark the user as retired
user = up.user
un = user.username
on = up.org.name
up.retired = True
up.save()
# Insert journal entries to delete their topologies - the main VNS process
# will delete them if it is safe
for t in db.Topology.objects.filter(owner=up.user):
je = db.JournalTopologyDelete()
je.topology = t
je.save()
messages.success(request, mark_for_escaping("You have successfully deleted %s." % un))
return HttpResponseRedirect('/org/%s/' % on)
def error(field):
if hasattr(field,'errors') and field.errors:
message = u','.join([u'%s' % force_unicode(e) for e in field.errors])
message = mark_for_escaping(message)
else:
return {'message': None}
return {'message': message}
def escape(value):
"""
Marks the value as a string that should not be auto-escaped.
"""
from django.utils.safestring import mark_for_escaping
return mark_for_escaping(value)
def resolve(self, context, ignore_failures=False):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
if settings.TEMPLATE_STRING_IF_INVALID:
global invalid_var_format_string
if invalid_var_format_string is None:
invalid_var_format_string = '%s' in settings.TEMPLATE_STRING_IF_INVALID
if invalid_var_format_string:
return settings.TEMPLATE_STRING_IF_INVALID % self.var
return settings.TEMPLATE_STRING_IF_INVALID
else:
obj = settings.TEMPLATE_STRING_IF_INVALID
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
obj = mark_for_escaping(new_obj)
else:
obj = new_obj
return obj
def test_mark_for_escaping_object_implementing_dunder_html(self):
e = customescape('<a&b>')
s = mark_for_escaping(e)
self.assertIs(s, e)
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
def test_mark_for_escaping_object_implementing_dunder_html(self):
e = customescape("<a&b>")
s = mark_for_escaping(e)
self.assertIs(s, e)
self.assertRenderEqual("{{ s }}", "<<a&b>>", s=s)
self.assertRenderEqual("{{ s|force_escape }}", "<a&b>", s=s)
def simpleerror(field):
if hasattr(field,'errors') and field.errors:
message = u','.join([u'%s' % force_unicode(e) for e in field.errors])
message = mark_for_escaping(message)
else:
return False
return message
def test_mark_for_escaping_object_implementing_dunder_html(self):
e = customescape('<a&b>')
s = mark_for_escaping(e)
self.assertIs(s, e)
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
def test_mark_for_escaping_object_implementing_dunder_str(self):
class Obj(object):
def __str__(self):
return '<obj>'
s = mark_for_escaping(Obj())
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
def test_mark_for_escaping_object_implementing_dunder_str(self):
class Obj(object):
def __str__(self):
return "<obj>"
s = mark_for_escaping(Obj())
self.assertRenderEqual("{{ s }}", "<obj>", s=s)
def test_mark_for_escaping_object_implementing_dunder_str(self):
class Obj(object):
def __str__(self):
return '<obj>'
s = mark_for_escaping(Obj())
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
def escape_filter(value):
"""
Marks the value as a string that should be auto-escaped.
"""
with warnings.catch_warnings():
# Ignore mark_for_escaping deprecation -- this will use
# conditional_escape() in Django 2.0.
warnings.simplefilter('ignore', category=RemovedInDjango20Warning)
return mark_for_escaping(value)
def escape_filter(value):
"""
Marks the value as a string that should be auto-escaped.
"""
with warnings.catch_warnings():
# Ignore mark_for_escaping deprecation -- this will use
# conditional_escape() in Django 2.0.
warnings.simplefilter('ignore', category=RemovedInDjango20Warning)
return mark_for_escaping(value)
def get_text(request, document_id=""):
''' Return a document via API as plain text
'''
doc = Document.objects.for_slug(document_id)
if not doc:
raise APIError('fail', "Document not found: %s" % document_id)
return dict(
text=mark_for_escaping(
doc.extracted_text),
docslug=unicode(doc.slug))
def _convert_out(v, o=None):
if getattr(filter_func, "is_safe", False) and isinstance(o, SafeData):
v = mark_safe(v)
elif isinstance(o, EscapeData):
v = mark_for_escaping(v)
if isinstance(v, SafeData):
return Markup(v)
if isinstance(v, EscapeData):
return Markup.escape(v) # not 100% equivalent, see mod docs
return v
def render_progress_bar(current,
total=100,
message="%",
bar_type="auto",
striped=False,
active=False):
""" Returns a html code to render a bootstrap progress bar.
Params:
current: current value
total: total value
bar_type: one of info/success/warning/danger or auto or None
striped: if you want striped bars
active: if you want animated bars
"""
if total is None: # unlimited
p = 0.0
total = current
else:
p = int(current * 100 / total)
html_classes = ["progress"]
if striped:
html_classes.append("progress-striped")
if active:
html_classes.append("active")
if bar_type:
if bar_type == "auto":
if p < 50:
bar_type = "info"
elif p < 75:
bar_type = "warning"
else:
bar_type = "danger"
html_classes.append("progress-%s" % bar_type)
if message == '%':
message = "%(current)d of %(total)d" % {
'current': current,
'total': total
}
if message:
# wrapper message in paragraph
message = "<p style='padding-left: 10px; position: absolute;'>%s</p>" % mark_for_escaping(
message)
html = """<div class="%(classes)s">%(message)s<div class="bar" style="width: %(p)d%%;"></div></div>""" % \
{
"classes": " ".join(html_classes),
"message": message or "",
"p": p,
}
return mark_safe(html)
def get_data(self, item):
data = queryparser.parse(item.body)
if 'data' not in data:
return None
items = list(data['data'].items())
items.sort()
out = ''
for i, dt in items:
out += "%s %s<br>" % (i, mark_for_escaping(dt))
return mark_safe(out)
def get_html(request, document_id=""):
''' Return a document via API as HTML,
verbatim per Tika's HTML conversion output
'''
doc = Document.objects.for_slug(document_id)
if not doc:
raise APIError('fail', "Document not found: %s" % document_id)
return dict(
html=mark_for_escaping(
doc.extracted_html).encode(
'ascii', 'xmlcharrefreplace'))
def dropdown_items(self):
# todo async refresh submenu when on the applications page and you change the application name
key = [self.domain]
apps = get_db().view('app_manager/applications_brief',
reduce=False,
startkey=key,
endkey=key+[{}],
stale=settings.COUCH_STALE_QUERY,
).all()
submenu_context = []
if not apps:
return submenu_context
submenu_context.append(format_submenu_context(_('My Applications'), is_header=True))
for app in apps:
app_info = app['value']
if app_info:
url = reverse('view_app', args=[self.domain, app_info['_id']])
app_name = mark_safe("%s%s" % (
mark_for_escaping(app_info['name'] or '(Untitled)'),
mark_for_escaping(' (Remote)' if app_info['doc_type'] == 'RemoteApp' else ''),
))
submenu_context.append(format_submenu_context(app_name, url=url))
if self.couch_user.can_edit_apps():
submenu_context.append(format_submenu_context(None, is_divider=True))
newapp_options = [
format_submenu_context(None, html=self._new_app_link(_('Blank Application'))),
format_submenu_context(None, html=self._new_app_link(_('RemoteApp (Advanced Users Only)'),
is_remote=True)),
]
newapp_options.append(format_submenu_context(_('Visit CommCare Exchange to copy existing app...'),
url=reverse('appstore')))
submenu_context.append(format_second_level_context(
_('New Application...'),
'#',
newapp_options
))
return submenu_context
def resolve(self, context, ignore_failures=False):
if isinstance(self.var, Variable):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
string_if_invalid = context.template.engine.string_if_invalid
if string_if_invalid:
if '%s' in string_if_invalid:
return string_if_invalid % self.var
else:
return string_if_invalid
else:
obj = string_if_invalid
else:
obj = self.var
escape_isnt_last_filter = True
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'expects_localtime', False):
obj = template_localtime(obj, context.use_tz)
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
with warnings.catch_warnings():
# Ignore mark_for_escaping deprecation as this will be
# removed in Django 2.0.
warnings.simplefilter('ignore',
category=RemovedInDjango20Warning)
obj = mark_for_escaping(new_obj)
escape_isnt_last_filter = False
else:
obj = new_obj
if not escape_isnt_last_filter:
warnings.warn(
"escape isn't the last filter in %s and will be applied "
"immediately in Django 2.0 so the output may change." %
[func.__name__ for func, _ in self.filters],
RemovedInDjango20Warning,
stacklevel=2)
return obj
def get_cleansed_html(request, document_id=""):
''' Return a document via API as HTML,
applying a post-process cleaning function
to Tika's HTML output to remove anything
unrelated to the basic formatting directives
'''
doc = Document.objects.for_slug(document_id)
if not doc:
raise APIError('fail', "Document not found: %s" % document_id)
return dict(
cleansed_html=mark_for_escaping(
doc.cleansed_html).encode(
'ascii', 'xmlcharrefreplace'))
def resolve(self, context, ignore_failures=False):
if isinstance(self.var, Variable):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
string_if_invalid = context.template.engine.string_if_invalid
if string_if_invalid:
if '%s' in string_if_invalid:
return string_if_invalid % self.var
else:
return string_if_invalid
else:
obj = string_if_invalid
else:
obj = self.var
escape_isnt_last_filter = True
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'expects_localtime', False):
obj = template_localtime(obj, context.use_tz)
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
with warnings.catch_warnings():
# Ignore mark_for_escaping deprecation as this will be
# removed in Django 2.0.
warnings.simplefilter('ignore', category=RemovedInDjango20Warning)
obj = mark_for_escaping(new_obj)
escape_isnt_last_filter = False
else:
obj = new_obj
if not escape_isnt_last_filter:
warnings.warn(
"escape isn't the last filter in %s and will be applied "
"immediately in Django 2.0 so the output may change."
% [func.__name__ for func, _ in self.filters],
RemovedInDjango20Warning, stacklevel=2
)
return obj
def view_paged(request):
""" views page slice of results using GET args. """
# intialize results in case of failure...
results_list, results_slice = ([], [])
# get query
query = responses.get_request_arg(request, ['q', 'query', 'search'], default="")
query_safe = mark_for_escaping(query)
# check query
search_warning = searchtools.valid_query(query)
# search okay?
if search_warning == '':
# get initial results
results_list = searchtools.search_all(query, projects_first=True)
# get overall total count
results_count = len(results_list)
# get args
page_args = responses.get_paged_args(request, results_count)
# results slice
if results_count > 0:
results_slice = utilities.slice_list(results_list,
starting_index=page_args['start_id'],
max_items=page_args['max_items'])
else:
results_slice = []
# get last index.
end_id = str(page_args['start_id'] + len(results_slice))
return responses.clean_response("searcher/results_paged.html",
{"request": request,
"search_warning": search_warning,
"results_list": results_slice,
"query_text": query,
"query_safe": query_safe,
"start_id": (page_args['start_id'] + 1),
"end_id": end_id,
"results_count": results_count,
"prev_page": page_args['prev_page'],
"next_page": page_args['next_page'],
"has_prev": (page_args['start_id'] > 0),
"has_next": (page_args['start_id'] < (results_count - page_args['max_items'])),
"extra_style_link_list": [utilities.get_browser_style(request),
"/static/css/searcher.min.css",
"/static/css/highlighter.min.css"],
})
def render_progress_bar(current, total=100, message="%", bar_type="auto", striped=False, active=False):
""" Returns a html code to render a bootstrap progress bar.
Params:
current: current value
total: total value
bar_type: one of info/success/warning/danger or auto or None
striped: if you want striped bars
active: if you want animated bars
"""
if total is None: # unlimited
p = 0.0
total = current
else:
p = int(current * 100 / total)
html_classes = ["progress"]
if striped:
html_classes.append("progress-striped")
if active:
html_classes.append("active")
if bar_type:
if bar_type == "auto":
if p < 50:
bar_type = "info"
elif p < 75:
bar_type = "warning"
else:
bar_type = "danger"
html_classes.append("progress-%s" % bar_type)
if message == '%':
message = "%(current)d of %(total)d" % {
'current': current, 'total': total}
if message:
# wrapper message in paragraph
message = "<p style='padding-left: 10px; position: absolute;'>%s</p>" % mark_for_escaping(
message)
html = """<div class="%(classes)s">%(message)s<div class="bar" style="width: %(p)d%%;"></div></div>""" % \
{
"classes": " ".join(html_classes),
"message": message or "",
"p": p,
}
return mark_safe(html)
def post(self, request, *args, **kwargs):
self.object = self.get_object()
if not self.object.user_has_access(request.user):
return HttpResponseForbidden()
key = self.request.POST['id']
value = self.request.POST['value']
if key.startswith('extension_'):
key = key[len('extension_'):]
whitelist = 'name', 'description', 'url'
if key not in whitelist:
return HttpResponseForbidden()
setattr(self.object, key, value)
self.object.save()
return HttpResponse(mark_for_escaping(value))
def view_error(request, error_number):
""" returns appropriate error page when given the error code. """
request_path = request.META["PATH_INFO"]
if request_path.startswith('/'):
request_path = request_path[1:]
serror = str(error_number)
# if its not one of these I don't have a template for it,
# so it really would be a file-not-found error.
if not serror in ["403", "404", "500"]:
serror = "404"
context = {
'request': request,
'request_path': mark_for_escaping(request_path),
'extra_style_link_list': [utilities.get_browser_style(request)],
}
return responses.clean_response_req('home/{}.html'.format(serror), context,
request=request)
def view_error(request, error_number):
""" returns appropriate error page when given the error code. """
request_path = request.META['PATH_INFO']
if request_path.startswith('/'):
request_path = request_path[1:]
# If its not one of these I don't have a template for it,
# so it really would be a file-not-found error.
if error_number not in (403, 404, 500):
error_number = 404
context = {
'request_path': mark_for_escaping(request_path),
}
return responses.clean_response(
'home/{}.html'.format(error_number),
context=context,
request=request,
status=error_number
)
def _view_diary(request, startdate, enddate, tag=None, extra_title=None):
# Returns public diary view, for given date range, optionally filtered by
# an event tag.
# Build query. The select_related() and prefetch_related on the end
# encourages it to get the associated showing/event data, to reduce the
# number of SQL queries
showings = (Showing.objects.public()
.start_in_range(startdate, enddate)
.order_by('start')
.select_related()
.prefetch_related('event__media')
.prefetch_related('event__tags'))
if tag:
showings = showings.filter(event__tags__slug=tag)
# Build a list of events for that list of showings:
events = OrderedDict()
for showing in showings:
events.setdefault(showing.event, list()).append(showing)
context = {
'start': startdate,
'end': enddate,
# Make sure user input is escaped:
'event_type': mark_for_escaping(tag) if tag else None,
# Set page title:
'extra_title': extra_title,
# Set of Showing objects for date range
'showings': showings,
# Ordered dict mapping event -> list of showings:
'events': events,
# This is prepended to filepaths from the MediaPaths table to use
# as a location for images:
'media_url': settings.MEDIA_URL,
'printed_programmes': PrintedProgramme.objects.month_in_range(
startdate, enddate)
}
return render(request, 'view_showing_index.html', context)
def resolve(self, context, ignore_failures=False, string_if_invalid=''):
if isinstance(self.var, Variable):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
if string_if_invalid:
global invalid_var_format_string
if invalid_var_format_string is None:
invalid_var_format_string = '%s' in string_if_invalid
if invalid_var_format_string:
return string_if_invalid % self.var
return string_if_invalid
else:
obj = string_if_invalid
else:
obj = self.var
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'expects_localtime', False):
obj = template_localtime(obj, context.use_tz)
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
obj = mark_for_escaping(new_obj)
else:
obj = new_obj
return obj
def resolve(self, context, ignore_failures=False):
if isinstance(self.var, Variable):
try:
obj = self.var.resolve(context)
except VariableDoesNotExist:
if ignore_failures:
obj = None
else:
string_if_invalid = context.engine.string_if_invalid
if string_if_invalid:
if '%s' in string_if_invalid:
return string_if_invalid % self.var
else:
return string_if_invalid
else:
obj = string_if_invalid
else:
obj = self.var
for func, args in self.filters:
arg_vals = []
for lookup, arg in args:
if not lookup:
arg_vals.append(mark_safe(arg))
else:
arg_vals.append(arg.resolve(context))
if getattr(func, 'expects_localtime', False):
obj = template_localtime(obj, context.use_tz)
if getattr(func, 'needs_autoescape', False):
new_obj = func(obj, autoescape=context.autoescape, *arg_vals)
else:
new_obj = func(obj, *arg_vals)
if getattr(func, 'is_safe', False) and isinstance(obj, SafeData):
obj = mark_safe(new_obj)
elif isinstance(obj, EscapeData):
obj = mark_for_escaping(new_obj)
else:
obj = new_obj
return obj
def clean_article_links(article_id):
portal_rule = re.compile(r'http(.+)(portalgsti\.com\.br)')
try:
article = Article.objects.get(id=article_id)
except Article.DoesNotExist:
print("ERROR: Article does not exist")
return
except Exception as e:
print("ERROR: General error on get article. [{}]".format(e))
return
def no_follow_external_links(attrs, new=False):
_href = attrs.get('href')
if _href and _href[0:4] == 'http' and not portal_rule.match(_href):
attrs['rel'] = 'nofollow'
return attrs
try:
article_pre = u'<pre>{}</pre>'.format(mark_for_escaping(article.text))
article_text = bleach.linkify(text=article_pre,
callbacks=[no_follow_external_links],
tokenizer=HTMLTokenizer,
skip_pre=True)
article_text = article_text.replace('<pre>', '',
1).replace('</pre>', '', -1)
if article_text != article.text:
article.text = article_text
article.save()
except Exception as e:
pass
def test_marked_strings(self):
"""
Check that strings marked as safe or needing escaping do not
confuse the back-end.
"""
from django.utils.safestring import mark_safe, mark_for_escaping
a = String.objects.create(s='a')
b = String.objects.create(s=mark_safe('b'))
c = String.objects.create(s=mark_for_escaping('c'))
self.assertEqual(String.objects.get(s='a'), a)
self.assertEqual(list(String.objects.filter(s__startswith='a')), [a])
self.assertEqual(String.objects.get(s=mark_safe('a')), a)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('a'))), [a])
self.assertEqual(String.objects.get(s=mark_for_escaping('a')), a)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('a'))),
[a])
self.assertEqual(String.objects.get(s='b'), b)
self.assertEqual(list(String.objects.filter(s__startswith='b')), [b])
self.assertEqual(String.objects.get(s=mark_safe('b')), b)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('b'))), [b])
self.assertEqual(String.objects.get(s=mark_for_escaping('b')), b)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('b'))),
[b])
self.assertEqual(String.objects.get(s='c'), c)
self.assertEqual(list(String.objects.filter(s__startswith='c')), [c])
self.assertEqual(String.objects.get(s=mark_safe('c')), c)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('c'))), [c])
self.assertEqual(String.objects.get(s=mark_for_escaping('c')), c)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('c'))),
[c])
def test_marked_strings(self):
"""
Check that strings marked as safe or needing escaping do not
confuse the back-end.
"""
from django.utils.safestring import mark_safe, mark_for_escaping
a = String.objects.create(s='a')
b = String.objects.create(s=mark_safe('b'))
c = String.objects.create(s=mark_for_escaping('c'))
self.assertEqual(String.objects.get(s='a'), a)
self.assertEqual(list(String.objects.filter(s__startswith='a')), [a])
self.assertEqual(String.objects.get(s=mark_safe('a')), a)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('a'))), [a])
self.assertEqual(String.objects.get(s=mark_for_escaping('a')), a)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('a'))),
[a])
self.assertEqual(String.objects.get(s='b'), b)
self.assertEqual(list(String.objects.filter(s__startswith='b')), [b])
self.assertEqual(String.objects.get(s=mark_safe('b')), b)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('b'))), [b])
self.assertEqual(String.objects.get(s=mark_for_escaping('b')), b)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('b'))),
[b])
self.assertEqual(String.objects.get(s='c'), c)
self.assertEqual(list(String.objects.filter(s__startswith='c')), [c])
self.assertEqual(String.objects.get(s=mark_safe('c')), c)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_safe('c'))), [c])
self.assertEqual(String.objects.get(s=mark_for_escaping('c')), c)
self.assertEqual(
list(String.objects.filter(s__startswith=mark_for_escaping('c'))),
[c])
def django_escape_output(value):
# Make sure the value is converted to unicode first, because otherwise,
# if it is already SafeData (for example, when coming from the template
# code), then mark_for_escaping would do nothing. We want to guarantee
# a EscapeData return value in this filter though.
return mark_for_escaping(unicode(value))
def json_encode(data):
return mark_for_escaping(json.dumps(data))
def make_app_title(cls, app_name, doc_type):
return mark_safe("%s%s" % (
mark_for_escaping(app_name or '(Untitled)'),
mark_for_escaping(' (Remote)' if doc_type == 'RemoteApp' else ''),
))
def escape(value):
"""
Marks the value as a string that should not be auto-escaped.
"""
from django.utils.safestring import mark_for_escaping
return mark_for_escaping(value)
def escape_filter(value):
"""
Marks the value as a string that should not be auto-escaped.
"""
return mark_for_escaping(value)
def url_getvars(context, token=None):
return mark_for_escaping(_url_getvars(context, token))
def extra_(self, obj):
import json
from django.utils.safestring import mark_safe, mark_for_escaping
return mark_safe(
"<pre style='font-family: sans-serif;'>" + mark_for_escaping(
json.dumps(obj.extra, sort_keys=True, indent=True)) + "</pre>")
def url_getvars_without(context, token):
return mark_for_escaping(_url_getvars(context, token, 'without'))
def nav_active(context, name, css="active"):
request = context.request
if request.path == reverse(name):
return mark_safe(' class="%s"' % (mark_for_escaping(css)))
return ""
def test_mark_for_escaping(self):
s = mark_for_escaping('a&b')
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s))
ctx_dict,
must_succeed=True)
@pytest.mark.parametrize('template_name', [
'tests/var.html',
'tests/var_default_html.html',
'tests/var_default_var.html',
'tests/var_filters.html',
'tests/var_safe_filter.html',
])
@pytest.mark.parametrize('var', [
'test',
'<html>',
mark_safe('<html>'),
mark_for_escaping('<html>'),
])
@pytest.mark.parametrize('other', [
'test',
'<html>',
mark_safe('<html>'),
mark_for_escaping('<html>'),
])
def test_var_escaping(settings, template_name, var, other):
assert_rendered_equally(settings,
template_name, {
'var': var,
'other': other
},
must_succeed=True)
def inner(model_admin):
try:
return mark_for_escaping(json.dumps(f(model_admin)))
except:
return []
