From: David Lord <davidism@gmail.com>
Date: Sat, 5 Oct 2019 01:23:11 +0000 (-0700)
Subject: don't bypass autoescape
X-Git-Tag: 2.11.0~55^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93565e6cd8f254e69ba21876fa1e72e2483eed31;p=thirdparty%2Fjinja.git

don't bypass autoescape
---

diff --git a/jinja2/ext.py b/jinja2/ext.py
index 6e21570a..2a29b1fd 100644
--- a/jinja2/ext.py
+++ b/jinja2/ext.py
@@ -443,16 +443,15 @@ class AutoEscapeExtension(Extension):
 
 
 class DebugExtension(Extension):
-    """
-    A ``{% debug %}`` tag that dumps the available variables, filters and tests.
-    Typical usage like this:
+    """A ``{% debug %}`` tag that dumps the available variables,
+    filters, and tests.
 
     .. codeblock:: html+jinja
+
         <pre>{% debug %}</pre>
 
-    produces output like this:
+    .. code-block:: python
 
-    ::
         {'context': {'_': <function _gettext_alias at 0x7f9ceabde488>,
                  'csrf_token': <SimpleLazyObject: 'lfPE7al...q3bykS4txKfb3'>,
                  'cycler': <class 'jinja2.utils.Cycler'>,
@@ -465,6 +464,7 @@ class DebugExtension(Extension):
                'escaped', 'even', 'iterable', 'lower', 'mapping',
                'multiple_checkbox_field', ... 'string', 'undefined', 'upper']}
 
+    .. versionadded:: 2.11.0
     """
     tags = {'debug'}
 
@@ -474,8 +474,8 @@ class DebugExtension(Extension):
     def parse(self, parser):
         lineno = parser.stream.expect('name:debug').lineno
         context = ContextReference()
-        call = self.call_method('_render', [context], lineno=lineno)
-        return nodes.Output([nodes.MarkSafe(call)])
+        result = self.call_method('_render', [context], lineno=lineno)
+        return nodes.Output([result], lineno=lineno)
 
     def _render(self, context):
         result = {
@@ -483,16 +483,12 @@ class DebugExtension(Extension):
             'tests': sorted(self.environment.tests.keys()),
             'context': context.get_all()
         }
-        #
-        # We set the depth since the intent is basically to show the top few
-        # names. TODO: provide user control over this?
-        #
-        if version_info[:2] >= (3,4):
-            text = pprint.pformat(result, depth=3, compact=True)
+
+        # Set the depth since the intent is to show the top few names.
+        if version_info[:2] >= (3, 4):
+            return pprint.pformat(result, depth=3, compact=True)
         else:
-            text = pprint.pformat(result, depth=3)
-        text = escape(text)
-        return text
+            return pprint.pformat(result, depth=3)
 
 
 def extract_from_ast(node, gettext_functions=GETTEXT_FUNCTIONS,
diff --git a/tests/test_ext.py b/tests/test_ext.py
index 1f26373d..1c349bd1 100644
--- a/tests/test_ext.py
+++ b/tests/test_ext.py
@@ -241,20 +241,12 @@ class TestExtensions(object):
         assert ext[1].__class__ is T2
 
     def test_debug(self):
-        """Test for {% debug %}"""
         env = Environment(extensions=['jinja2.ext.debug'])
-        tmpl = env.from_string('''Hello{% debug %}Bye''')
-        out = tmpl.render()
-        out = out.replace('&#39;', "'").replace('&lt;', '<').replace('&gt;', '>')
-        #
-        # Check that some of the built-in items exist in the debug output...
-        #
-        assert "'context'" in out
-        assert "'cycler'" in out
-        assert "'filters'" in out
-        assert "'abs'" in out
-        assert "'tests'" in out
-        assert "'!='" in out
+        t = env.from_string('Hello\n{% debug %}\nGoodbye')
+        out = t.render()
+
+        for value in ("context", "cycler", "filters", "abs", "tests", "!="):
+            assert "'{}'".format(value) in out
 
 
 @pytest.mark.ext