From: Sambhav Satija Date: Sun, 10 Apr 2016 15:40:38 +0000 (+0530) Subject: Escape target attribute in the urlize function in utils.py. (#507) X-Git-Tag: 2.9~27^2~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=75685ec5e5079bcdbd443696c3d79d0cb86f7cf8;p=thirdparty%2Fjinja.git Escape target attribute in the urlize function in utils.py. (#507) --- diff --git a/jinja2/utils.py b/jinja2/utils.py index 612d5c3d..2a64ce57 100644 --- a/jinja2/utils.py +++ b/jinja2/utils.py @@ -203,7 +203,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, target=None): words = _word_split_re.split(text_type(escape(text))) nofollow_attr = nofollow and ' rel="nofollow"' or '' if target is not None and isinstance(target, string_types): - target_attr = ' target="%s"' % target + target_attr = ' target="%s"' % escape(target) else: target_attr = '' for i, word in enumerate(words): diff --git a/tests/test_utils.py b/tests/test_utils.py index 37310361..95cf0435 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -14,7 +14,7 @@ import pytest import pickle -from jinja2.utils import LRUCache, escape, object_type_repr +from jinja2.utils import LRUCache, escape, object_type_repr, urlize @pytest.mark.utils @@ -74,3 +74,14 @@ class TestMarkupLeak(): escape(u"") counts.add(len(gc.get_objects())) assert len(counts) == 1, 'ouch, c extension seems to leak objects' + + +@pytest.mark.utils +@pytest.mark.escapeUrlizeTarget +class TestEscapeUrlizeTarget(): + def test_escape_urlize_target(self): + url = "http://example.org" + target = "