64 lines
2.0 KiB
Diff
64 lines
2.0 KiB
Diff
From 7dd3680e6eea0d77fde024763657aa4d884ddb23 Mon Sep 17 00:00:00 2001
|
|
From: Calum Hutton <calum.hutton@snyk.io>
|
|
Date: Thu, 26 Oct 2023 12:08:53 +0100
|
|
Subject: [PATCH] xmlattr filter disallows keys with spaces
|
|
|
|
---
|
|
CHANGES.rst | 1 +
|
|
src/jinja2/filters.py | 28 +++++++++++++++++++++-------
|
|
tests/test_filters.py | 6 ++++++
|
|
3 files changed, 28 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
|
|
index ed07c4c0e..c7ecc9bb6 100644
|
|
--- a/kubevirt/jinja2/filters.py
|
|
+++ b/kubevirt/jinja2/filters.py
|
|
@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
|
|
yield from value.items()
|
|
|
|
|
|
+_space_re = re.compile(r"\s", flags=re.ASCII)
|
|
+
|
|
+
|
|
@pass_eval_context
|
|
def do_xmlattr(
|
|
eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
|
|
) -> str:
|
|
"""Create an SGML/XML attribute string based on the items in a dict.
|
|
- All values that are neither `none` nor `undefined` are automatically
|
|
- escaped:
|
|
+
|
|
+ If any key contains a space, this fails with a ``ValueError``. Values that
|
|
+ are neither ``none`` nor ``undefined`` are automatically escaped.
|
|
|
|
.. sourcecode:: html+jinja
|
|
|
|
@@ -273,12 +277,22 @@ def do_xmlattr(
|
|
|
|
As you can see it automatically prepends a space in front of the item
|
|
if the filter returned something unless the second parameter is false.
|
|
+
|
|
+ .. versionchanged:: 3.1.3
|
|
+ Keys with spaces are not allowed.
|
|
"""
|
|
- rv = " ".join(
|
|
- f'{escape(key)}="{escape(value)}"'
|
|
- for key, value in d.items()
|
|
- if value is not None and not isinstance(value, Undefined)
|
|
- )
|
|
+ items = []
|
|
+
|
|
+ for key, value in d.items():
|
|
+ if value is None or isinstance(value, Undefined):
|
|
+ continue
|
|
+
|
|
+ if _space_re.search(key) is not None:
|
|
+ raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
|
|
+
|
|
+ items.append(f'{escape(key)}="{escape(value)}"')
|
|
+
|
|
+ rv = " ".join(items)
|
|
|
|
if autospace and rv:
|
|
rv = " " + rv
|