autoescape values - version 1.15.0

pigletto · pigletto · commit 33fd6e867bea · 2018-03-04T22:58:12.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,76 @@
+# Compiled source #
+###################
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+*.pyc
+
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+
+# OS generated files #
+######################
+.DS_Store*
+ehthumbs.db
+Icon?
+Thumbs.db
+
+# Other              #
+######################
+.idea
+
+# Virtualenv files #
+######################
+bin
+include
+lib
+local
+dist
+
+# Buildout files #
+##################
+.installed.cfg
+.mr.developer.cfg
+develop-eggs
+downloads
+eggs
+parts
+src/*.egg-info
+lib
+lib64
+
+# Symlinks #
+############
+project/media/theme
+project/media/admin
+
+# Vim files #
+#############
+*.swp
+
+# Local settings file (I put DB credentials there) #
+####################################################
+project/settings_local.py
+
+# Specific dependencies #
+#########################
+src/shop_management_sync
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,7 @@
+2018.03.04 - 1.15.0
+ - possible backward incomatible change: escape() is now called for each value returned by render_column.
+   This can be disabled by setting class attribute: escape_values to False.
+
 2017.02.01 - 1.14.0
  - render_column method is now able to call get_OBJECT_display on foreign models (issue #31)
  - potentially backward incompatible change in render_column - get_absolute_url is now called on obj that is
diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ _django_datatables_view_ uses **GenericViews**, so your view should just inherit
     :::python
 
         from django_datatables_view.base_datatable_view import BaseDatatableView
+        from django.utils.html import escape
 
         class OrderListJson(BaseDatatableView):
             # The model we're going to show
@@ -61,7 +62,8 @@ _django_datatables_view_ uses **GenericViews**, so your view should just inherit
             def render_column(self, row, column):
                 # We want to render user as a custom column
                 if column == 'user':
-                    return '{0} {1}'.format(row.customer_firstname, row.customer_lastname)
+                    # escape HTML for security reasons
+                    return escape('{0} {1}'.format(row.customer_firstname, row.customer_lastname))
                 else:
                     return super(OrderListJson, self).render_column(row, column)
 
@@ -111,6 +113,7 @@ Example JS:
 ## Another example of views.py customisation ##
 
     from django_datatables_view.base_datatable_view import BaseDatatableView
+    from django.utils.html import escape
 
     class OrderListJson(BaseDatatableView):
         order_columns = ['number', 'user', 'state']
@@ -148,8 +151,8 @@ Example JS:
             json_data = []
             for item in qs:
                 json_data.append([
-                    item.number,
-                    "{0} {1}".format(item.customer_firstname, item.customer_lastname),
+                    escape(item.number),  # escape HTML for security reasons
+                    escape("{0} {1}".format(item.customer_firstname, item.customer_lastname)),  # escape HTML for security reasons
                     item.get_state_display(),
                     item.created.strftime("%Y-%m-%d %H:%M:%S"),
                     item.modified.strftime("%Y-%m-%d %H:%M:%S")
diff --git a/django_datatables_view/base_datatable_view.py b/django_datatables_view/base_datatable_view.py
@@ -4,6 +4,7 @@
 
 from django.conf import settings
 from django.db.models import Q
+from django.utils.html import escape
 
 from .mixins import JSONResponseView
 
@@ -19,6 +20,7 @@ class DatatableMixin(object):
     max_display_length = 100  # max limit of records returned, do not allow to kill our server by huge sets of data
     pre_camel_case_notation = False  # datatables 1.10 changed query string parameter names
     none_string = ''
+    escape_values = True  # if set to true then values returned by render_column will be escaped
     
     @property
     def _querydict(self):
@@ -60,6 +62,9 @@ def render_column(self, row, column):
 
         if value is None:
             value = self.none_string
+
+        if self.escape_values:
+            value = escape(value)
             
         if value and hasattr(obj, 'get_absolute_url'):
             return '<a href="%s">%s</a>' % (obj.get_absolute_url(), value)
@@ -174,7 +179,8 @@ def filter_queryset(self, qs):
 
                 # column specific filter
                 if col['search.value']:
-                    qs = qs.filter(**{'{0}__istartswith'.format(self.columns[col_no].replace('.', '__')): col['search.value']})
+                    qs = qs.filter(**{
+                        '{0}__istartswith'.format(self.columns[col_no].replace('.', '__')): col['search.value']})
             qs = qs.filter(q)
         return qs
 
diff --git a/setup.py b/setup.py
@@ -1,7 +1,7 @@
 from setuptools import setup, find_packages
 import os
 
-version = '1.14.0'
+version = '1.15.0'
 
 here = os.path.abspath(os.path.dirname(__file__))
 README = open(os.path.join(here, 'README.md')).read()
@@ -33,5 +33,5 @@
       dependency_links=[],
       install_requires=[
           'setuptools',
-      ],
-     )
+      ]
+      )
