Fixed #25018 -- Changed simple_tag to apply conditional_escape() to its output.

This is a security hardening fix to help prevent XSS (and incorrect HTML)
for the common use case of simple_tag.

Thanks to Tim Graham for the review.

1 files changed, 22 insertions, 0 deletions

diff --git a/tests/template_tests/test_custom.py b/tests/template_tests/test_custom.py
index 5d2907074d..dec97589d6 100644
--- a/tests/template_tests/test_custom.py
+++ b/tests/template_tests/test_custom.py
@@ -104,6 +104,28 @@ class SimpleTagTests(TagTestCase):
             with self.assertRaisesMessage(TemplateSyntaxError, entry[0]):
                 self.engine.from_string("%s as var %%}" % entry[1][0:-2])
 
+    def test_simple_tag_escaping_autoescape_off(self):
+        c = Context({'name': "Jack & Jill"}, autoescape=False)
+        t = self.engine.from_string("{% load custom %}{% escape_naive %}")
+        self.assertEqual(t.render(c), "Hello Jack & Jill!")
+
+    def test_simple_tag_naive_escaping(self):
+        c = Context({'name': "Jack & Jill"})
+        t = self.engine.from_string("{% load custom %}{% escape_naive %}")
+        self.assertEqual(t.render(c), "Hello Jack & Jill!")
+
+    def test_simple_tag_explicit_escaping(self):
+        # Check we don't double escape
+        c = Context({'name': "Jack & Jill"})
+        t = self.engine.from_string("{% load custom %}{% escape_explicit %}")
+        self.assertEqual(t.render(c), "Hello Jack & Jill!")
+
+    def test_simple_tag_format_html_escaping(self):
+        # Check we don't double escape
+        c = Context({'name': "Jack & Jill"})
+        t = self.engine.from_string("{% load custom %}{% escape_format_html %}")
+        self.assertEqual(t.render(c), "Hello Jack & Jill!")
+
     def test_simple_tag_registration(self):
         # Test that the decorators preserve the decorated function's docstring, name and attributes.
         self.verify_tag(custom.no_params, 'no_params')