aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Increment patch versions of askama_{shared,escape}Libravatar René Kijewski2022-02-162-2/+2
|
* Make json filter safeLibravatar René Kijewski2022-02-169-49/+191
| | | | | | | | | | | | | | | | | | | | | Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
* Update actix-test requirement from =0.1.0-beta.12 to =0.1.0-beta.13Libravatar dependabot[bot]2022-02-161-1/+1
| | | | | | | | | | | | | | Updates the requirements on [actix-test](https://github.com/actix/actix-web) to permit the latest version. - [Release notes](https://github.com/actix/actix-web/releases) - [Changelog](https://github.com/actix/actix-web/blob/master/CHANGES.md) - [Commits](https://github.com/actix/actix-web/compare/test-v0.1.0-beta.12...test-v0.1.0-beta.13) --- updated-dependencies: - dependency-name: actix-test dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
* askama_mendes: upgrade mendes to 0.0.62 (#636)Libravatar Dirkjan Ochtman2022-02-094-5/+5
|
* Add markdown filterLibravatar René Kijewski2022-02-076-4/+176
|
* Enable tracking of the offending span of an errorLibravatar René Kijewski2022-02-072-9/+25
|
* Remove unneeded external dependenciesLibravatar René Kijewski2022-02-043-5/+5
|
* Take reference to AST ident only onceLibravatar René Kijewski2022-02-031-12/+17
|
* Replace if-let with matchLibravatar René Kijewski2022-02-031-4/+6
|
* Replace custom Cow with actual CowLibravatar René Kijewski2022-02-034-49/+45
|
* Update README.md, sync with the bookLibravatar René Kijewski2022-02-022-3/+4
|
* actix: upgrade to actix 4-rc.1Libravatar Dirkjan Ochtman2022-02-012-3/+3
|
* Use exact trybuild versionLibravatar René Kijewski2022-01-311-1/+1
| | | | | | | Sometimes for no obvious reason an old version is selected and the output is different in just about every ui test. Just pin it to the currently newest version and test if an updated version still works when a new version gets released.
* Remove used optional dependencyLibravatar René Kijewski2022-01-311-1/+0
|
* Remove `panic!()` in `loop.cycle([])`Libravatar René Kijewski2022-01-313-1/+23
|
* Don't wrap in StrLit just to extract the str imm.Libravatar René Kijewski2022-01-311-20/+4
|
* Update comment in TemplateInput::new()Libravatar René Kijewski2022-01-311-1/+1
|
* Make is_shadowing_variable() failableLibravatar René Kijewski2022-01-312-15/+27
|
* Allow comments in `{% match %}` and remove panic!Libravatar René Kijewski2022-01-314-19/+55
|
* Parse tuple expressionsLibravatar René Kijewski2022-01-283-3/+245
| | | | | | | Askama understands how to destructure tuples in let and match statements, but it does not understand how to build a tuple. This PR fixes this shortcoming.
* Implement error propagation expression: `?` (#590)Libravatar René Kijewski2022-01-284-6/+99
| | | | | | This change allows using the operator `?` in askama expressions. It works like the same operator in Rust: if a `Result` is `Ok`, it is unwrapped. If it is an error, then the `render()` method fails with this error value.
* Unify handling of calls (#614)Libravatar René Kijewski2022-01-273-145/+239
| | | | | Instead of having `Expr::VarCall`, `Expr::PathCall` and `Expr::MethodCall`, this PR unifies the handling of calls by removing the former three variants, and introducing `Expr::Call`.
* Replace `&PathBuf` with `&Path`Libravatar René Kijewski2022-01-243-12/+12
| | | | | PathBuf is to String like Path is to str, so `&PathBuf` is a pointer to a pointer. Clippy does not likes that.
* Fix json/yaml featuresLibravatar Jannik Obermann2022-01-152-2/+4
|
* Tweak attribute parsing some moreLibravatar Dirkjan Ochtman2022-01-131-10/+7
|
* Add unit tests if there is one `#[template(…)]`Libravatar René Kijewski2022-01-134-0/+36
|
* Make sure '#[template(…)]' is given exactly onceLibravatar René Kijewski2022-01-131-16/+22
|
* Rename "meta" in proc_macro parserLibravatar René Kijewski2022-01-131-3/+3
|
* README: Adds link to JinjaLibravatar hoijui2022-01-131-1/+1
| | | ... for those of us who do not know what it is.
* Add template argument for contexts' hasherLibravatar René Kijewski2022-01-121-2/+2
| | | | | In askama_shared::generate a custom hasher for the contexts can be given, so Heritage needs to accept the argument to.
* `&Option<T>` → `Option<&T>`Libravatar René Kijewski2022-01-122-4/+4
|
* Fully qualify some more paths in generated codeLibravatar René Kijewski2022-01-121-3/+3
|
* Use Template::MIME_TYPE instead of extensionLibravatar René Kijewski2022-01-078-43/+25
|
* Determine Content-Type during compilationLibravatar René Kijewski2022-01-073-0/+22
|
* Make TemplateInput::extension() reusableLibravatar René Kijewski2022-01-071-1/+7
|
* Unshadow function escaping()Libravatar René Kijewski2022-01-071-3/+3
|
* Move extension_to_mime_type() to askama_sharedLibravatar René Kijewski2022-01-075-27/+37
|
* Optimize parsing of rangesLibravatar René Kijewski2022-01-061-17/+13
| | | | | | | | | | Right now almost every expression needs to be parsed twice: `expr_any()` first parses the left-hand side of a range expression, and if no `..` or `..=` was found the left-hand expression is parsed again, this time as the result of the function. This diff removes the second parsing step by first looking for `.. (opt rhs)`, then for `lhs .. (opt rhs)`.
* Add `#[inline]` to trivial trait implementationsLibravatar René Kijewski2022-01-061-0/+9
|
* Remove the iron integration from generatorLibravatar René Kijewski2022-01-065-30/+0
| | | | | | | Issue #527 removed the askama_iron package, but not the integration if someone uses askama_derive's feature with "iron". The old askama_iron crate uses askama v0.10, so it will still work.
* Add `#![forbid(unsafe_code)]` to all crates except askama_escapeLibravatar René Kijewski2022-01-0610-0/+10
|
* Add `#![deny(unreachable_pub)]` to all cratesLibravatar René Kijewski2022-01-0611-0/+11
|
* No needless boxing of the errorLibravatar René Kijewski2022-01-061-3/+22
|
* Omit implicit lifetimesLibravatar René Kijewski2022-01-065-9/+9
|
* Add `#[derive(Debug)]` for public typesLibravatar René Kijewski2022-01-061-0/+3
|
* Same number of repeats in macro pattern and bodyLibravatar René Kijewski2022-01-061-1/+1
|
* No need to build a String when it gets referenced as &str implicitlyLibravatar René Kijewski2022-01-061-6/+0
|
* Combine imports from the same moduleLibravatar René Kijewski2022-01-062-5/+2
|
* Remove unused importsLibravatar René Kijewski2022-01-061-7/+0
|
* Update for actix-web betaLibravatar René Kijewski2022-01-054-32/+25
|