diff options
| author | Amy <leiamy12@gmail.com> | 2020-06-15 13:39:33 -0400 |
|---|---|---|
| committer | Amy <leiamy12@gmail.com> | 2020-06-15 13:49:40 -0400 |
| commit | 6de60977acd7e82ea204a04756addaef1de13c2d (patch) | |
| tree | a498b46418570fadfd9032c69c73b877b5e73df3 | |
| parent | 8816c9335b3276f92aca45ee0f5a2aacc6465e26 (diff) | |
| download | jinja-6de60977acd7e82ea204a04756addaef1de13c2d.tar.gz | |
remove sandbox._MagicFormatMapping
add test for escape formatter
| -rw-r--r-- | src/jinja2/sandbox.py | 32 | ||||
| -rw-r--r-- | tests/test_security.py | 7 |
2 files changed, 7 insertions, 32 deletions
diff --git a/src/jinja2/sandbox.py b/src/jinja2/sandbox.py index deecf61c..5c6d0946 100644 --- a/src/jinja2/sandbox.py +++ b/src/jinja2/sandbox.py @@ -75,37 +75,6 @@ _mutable_spec = ( ) -class _MagicFormatMapping(abc.Mapping): - """This class implements a dummy wrapper to fix a bug in the Python - standard library for string formatting. - - See https://bugs.python.org/issue13598 for information about why - this is necessary. - """ - - def __init__(self, args, kwargs): - self._args = args - self._kwargs = kwargs - self._last_index = 0 - - def __getitem__(self, key): - if key == "": - idx = self._last_index - self._last_index += 1 - try: - return self._args[idx] - except LookupError: - pass - key = str(idx) - return self._kwargs[key] - - def __iter__(self): - return iter(self._kwargs) - - def __len__(self): - return len(self._kwargs) - - def inspect_format_method(callable): if not isinstance( callable, (types.MethodType, types.BuiltinMethodType) @@ -395,7 +364,6 @@ class SandboxedEnvironment(Environment): kwargs = args[0] args = None - kwargs = _MagicFormatMapping(args, kwargs) rv = formatter.vformat(s, args, kwargs) return type(s)(rv) diff --git a/tests/test_security.py b/tests/test_security.py index 44ac47ab..1b64cd37 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -146,6 +146,13 @@ class TestStringFormat: t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}') assert t.render() == "a42b<foo>" + def test_empty_braces_format(self): + env = SandboxedEnvironment() + t1 = env.from_string('{{ ("a{}b{}").format("foo", "42")}}') + t2 = env.from_string('{{ ("a{}b{}"|safe).format(42, "<foo>") }}') + assert t1.render() == "afoob42" + assert t2.render() == "a42b<foo>" + class TestStringFormatMap: def test_basic_format_safety(self): |