Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

[1.1.X] Fixed #13177 -- Corrected usage of firstof in admin templates. Thanks to nomulous for the report and patch.

Browse Source 
Backport of r12840 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@12841 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2010-03-23 14:55:00 +00:00
parent 6e60c8b7c0
commit 21a1a21d0b
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/contrib/admin/templates/admin/base.html
View File

@ -25,7 +25,7 @@
{% if user.is_authenticated and user.is_staff %} {% if user.is_authenticated and user.is_staff %}
<div id="user-tools"> <div id="user-tools">
{% trans 'Welcome,' %} {% trans 'Welcome,' %}
<strong>{% firstof user.first_name user.username %}</strong>. <strong>{% filter force_escape %}{% firstof user.first_name user.username %}{% endfilter %}</strong>.
{% block userlinks %} {% block userlinks %}
{% url django-admindocs-docroot as docsroot %} {% url django-admindocs-docroot as docsroot %}
{% if docsroot %} {% if docsroot %}

20
docs/ref/templates/builtins.txt
View File

@ -112,9 +112,13 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables. string literals, while values without quotes are treated as template variables.
Note that the variables included in the cycle will not be escaped. This is Note that the variables included in the cycle will not be escaped.
because template tags do not escape their content. If you want to escape the This is because template tags do not escape their content. Any HTML or
variables in the cycle, you must do so explicitly:: Javascript code contained in the printed variable will be rendered
as-is, which could potentially lead to security issues.
If you need to escape the variables in the cycle, you must do so
explicitly::
{% filter force_escape %} {% filter force_escape %}
{% cycle var1 var2 var3 %} {% cycle var1 var2 var3 %}
@ -202,9 +206,13 @@ passed variables are False::
{% firstof var1 var2 var3 "fallback value" %} {% firstof var1 var2 var3 "fallback value" %}
Note that the variables included in the firstof tag will not be escaped. This Note that the variables included in the firstof tag will not be
is because template tags do not escape their content. If you want to escape escaped. This is because template tags do not escape their content.
the variables in the firstof tag, you must do so explicitly:: Any HTML or Javascript code contained in the printed variable will be
rendered as-is, which could potentially lead to security issues.
If you need to escape the variables in the firstof tag, you must do so
explicitly::
{% filter force_escape %} {% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %} {% firstof var1 var2 var3 "fallback value" %}