Commit message (Collapse) | Author | Files | Lines | ||
---|---|---|---|---|---|
2022-02-16 | Make json filter safe | René Kijewski | 2 | -17/+24 | |
Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `"`. In scripts the programmer should use the safe filter, otherwise not. | |||||
2022-02-09 | askama_mendes: upgrade mendes to 0.0.62 (#636) | Dirkjan Ochtman | 1 | -1/+1 | |
2022-02-07 | Add markdown filter | René Kijewski | 2 | -3/+94 | |
2022-02-07 | Enable tracking of the offending span of an error | René Kijewski | 1 | -5/+24 | |
2022-02-03 | Take reference to AST ident only once | René Kijewski | 1 | -12/+17 | |
2022-02-03 | Replace if-let with match | René Kijewski | 1 | -4/+6 | |
2022-02-03 | Replace custom Cow with actual Cow | René Kijewski | 3 | -47/+42 | |
2022-01-31 | Remove `panic!()` in `loop.cycle([])` | René Kijewski | 1 | -1/+1 | |
2022-01-31 | Don't wrap in StrLit just to extract the str imm. | René Kijewski | 1 | -20/+4 | |
2022-01-31 | Update comment in TemplateInput::new() | René Kijewski | 1 | -1/+1 | |
2022-01-31 | Make is_shadowing_variable() failable | René Kijewski | 1 | -12/+24 | |
2022-01-31 | Allow comments in `{% match %}` and remove panic! | René Kijewski | 1 | -19/+2 | |
2022-01-28 | Parse tuple expressions | René Kijewski | 2 | -3/+163 | |
Askama understands how to destructure tuples in let and match statements, but it does not understand how to build a tuple. This PR fixes this shortcoming. | |||||
2022-01-28 | Implement error propagation expression: `?` (#590) | René Kijewski | 3 | -6/+30 | |
This change allows using the operator `?` in askama expressions. It works like the same operator in Rust: if a `Result` is `Ok`, it is unwrapped. If it is an error, then the `render()` method fails with this error value. | |||||
2022-01-27 | Unify handling of calls (#614) | René Kijewski | 2 | -145/+157 | |
Instead of having `Expr::VarCall`, `Expr::PathCall` and `Expr::MethodCall`, this PR unifies the handling of calls by removing the former three variants, and introducing `Expr::Call`. | |||||
2022-01-24 | Replace `&PathBuf` with `&Path` | René Kijewski | 2 | -9/+9 | |
PathBuf is to String like Path is to str, so `&PathBuf` is a pointer to a pointer. Clippy does not likes that. | |||||
2022-01-13 | Tweak attribute parsing some more | Dirkjan Ochtman | 1 | -10/+7 | |
2022-01-13 | Make sure '#[template(…)]' is given exactly once | René Kijewski | 1 | -16/+22 | |
2022-01-13 | Rename "meta" in proc_macro parser | René Kijewski | 1 | -3/+3 | |
2022-01-12 | Add template argument for contexts' hasher | René Kijewski | 1 | -2/+2 | |
In askama_shared::generate a custom hasher for the contexts can be given, so Heritage needs to accept the argument to. | |||||
2022-01-12 | `&Option<T>` → `Option<&T>` | René Kijewski | 1 | -3/+3 | |
2022-01-12 | Fully qualify some more paths in generated code | René Kijewski | 1 | -3/+3 | |
2022-01-07 | Determine Content-Type during compilation | René Kijewski | 2 | -0/+10 | |
2022-01-07 | Make TemplateInput::extension() reusable | René Kijewski | 1 | -1/+7 | |
2022-01-07 | Unshadow function escaping() | René Kijewski | 1 | -3/+3 | |
2022-01-07 | Move extension_to_mime_type() to askama_shared | René Kijewski | 2 | -0/+28 | |
2022-01-06 | Optimize parsing of ranges | René Kijewski | 1 | -17/+13 | |
Right now almost every expression needs to be parsed twice: `expr_any()` first parses the left-hand side of a range expression, and if no `..` or `..=` was found the left-hand expression is parsed again, this time as the result of the function. This diff removes the second parsing step by first looking for `.. (opt rhs)`, then for `lhs .. (opt rhs)`. | |||||
2022-01-06 | Add `#[inline]` to trivial trait implementations | René Kijewski | 1 | -0/+9 | |
2022-01-06 | Remove the iron integration from generator | René Kijewski | 2 | -27/+0 | |
Issue #527 removed the askama_iron package, but not the integration if someone uses askama_derive's feature with "iron". The old askama_iron crate uses askama v0.10, so it will still work. | |||||
2022-01-06 | Add `#![forbid(unsafe_code)]` to all crates except askama_escape | René Kijewski | 1 | -0/+1 | |
2022-01-06 | Add `#![deny(unreachable_pub)]` to all crates | René Kijewski | 1 | -0/+1 | |
2022-01-06 | Omit implicit lifetimes | René Kijewski | 4 | -7/+7 | |
2022-01-06 | Same number of repeats in macro pattern and body | René Kijewski | 1 | -1/+1 | |
2022-01-06 | No need to build a String when it gets referenced as &str implicitly | René Kijewski | 1 | -6/+0 | |
2022-01-06 | Combine imports from the same module | René Kijewski | 1 | -2/+1 | |
2022-01-05 | Update for actix-web beta | René Kijewski | 1 | -7/+3 | |
2022-01-04 | askama_rocket: revert to rocket 0.4 for release | Dirkjan Ochtman | 1 | -2/+4 | |
2022-01-04 | askama_actix: revert to actix-web v3 for release | Dirkjan Ochtman | 1 | -3/+4 | |
2021-12-15 | Use a separate trait for object safety (#579) | Dirkjan Ochtman | 1 | -17/+5 | |
This is relatively major change to the main trait's API. For context, I always started from the concept of monomorphized traits, but later several contributors asked about object safety. At that point I made `Template` object-safe, and then even later added a `SizedTemplate` to make some things easier for people who don't need object safety. However, having object-safety in the primary trait is bad for performance (a substantial number of calls into the virtual `Write` trait is relatively slow), and I don't think those who don't need object safety should pay for the cost of having it. Additionally, I feel using associated consts for the extension and size hint is more idiomatic than having accessor methods. I don't know why I didn't use these from the start -- maybe associated consts didn't exist yet, or I didn't yet know how/when to use them. Askama is pretty old at this point... | |||||
2021-12-14 | updated for actix-web 4.0.0-beta.14 | CrunkLord420 | 1 | -1/+2 | |
2021-12-08 | Use char for patterns where possible | Dirkjan Ochtman | 2 | -3/+3 | |
2021-12-05 | Update axum to 0.4 (by switching to axum-core) | Michael Alyn Miller | 1 | -5/+3 | |
2021-12-01 | Move askama_mendes integration into Askama repo (#561) | Dirkjan Ochtman | 1 | -2/+2 | |
2021-11-29 | Allow whitespace trimming in {{raw}} blocks | René Kijewski | 2 | -18/+21 | |
2021-11-27 | Add Axum integration | Michael Alyn Miller | 2 | -0/+19 | |
2021-11-24 | Simplify take_content() implementation | René Kijewski | 1 | -43/+37 | |
2021-11-24 | Parse `&str` instead of `&[u8]` | René Kijewski | 1 | -132/+120 | |
Askama's takes valid UTF-8 files as input. So why operate on byte slices instead of strings? This makes writing some functions a lot simpler. | |||||
2021-11-24 | Simplify identifier() implementation | René Kijewski | 1 | -17/+15 | |
2021-11-24 | Simplify ws() and split_ws_parts() | René Kijewski | 1 | -43/+19 | |
2021-11-24 | use nom::error::ErrorKind | René Kijewski | 1 | -16/+7 | |