PyPI - python-liquid - Versions diffs - 2.0.2__tar.gz → 2.1.0__tar.gz - Mend

python-liquid 2.0.2tar.gz → 2.1.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

{python_liquid-2.0.2 → python_liquid-2.1.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-liquid
-Version: 2.0.2
+Version: 2.1.0
 Summary: A Python engine for the Liquid template language.
 Project-URL: Change Log, https://github.com/jg-rp/liquid/blob/main/CHANGES.md
 Project-URL: Documentation, https://jg-rp.github.io/liquid/
@@ -105,6 +105,7 @@ $ conda install -c conda-forge python-liquid
 - [Python Liquid2](https://github.com/jg-rp/python-liquid2): A new Python engine for Liquid with [extra features](https://jg-rp.github.io/python-liquid2/migration/#new-features).
 - [Ruby Liquid2](https://github.com/jg-rp/ruby-liquid2): Liquid2 templates for Ruby.
+- [Micro Liquid](https://github.com/jg-rp/micro-liquid): A stripped-down Liquid-like template engine for Python. You can think of it as a non-evaluating alternative to Python's [f-strings](https://docs.python.org/3/tutorial/inputoutput.html#formatted-string-literals) or [t-strings](https://docs.python.org/3.14/whatsnew/3.14.html#whatsnew314-pep750).
 - [LiquidScript](https://github.com/jg-rp/liquidscript): A JavaScript engine for Liquid with a similar high-level API to Python Liquid.
 ## Quick Start

{python_liquid-2.0.2 → python_liquid-2.1.0}/README.md RENAMED Viewed

@@ -75,6 +75,7 @@ $ conda install -c conda-forge python-liquid
 - [Python Liquid2](https://github.com/jg-rp/python-liquid2): A new Python engine for Liquid with [extra features](https://jg-rp.github.io/python-liquid2/migration/#new-features).
 - [Ruby Liquid2](https://github.com/jg-rp/ruby-liquid2): Liquid2 templates for Ruby.
+- [Micro Liquid](https://github.com/jg-rp/micro-liquid): A stripped-down Liquid-like template engine for Python. You can think of it as a non-evaluating alternative to Python's [f-strings](https://docs.python.org/3/tutorial/inputoutput.html#formatted-string-literals) or [t-strings](https://docs.python.org/3.14/whatsnew/3.14.html#whatsnew314-pep750).
 - [LiquidScript](https://github.com/jg-rp/liquidscript): A JavaScript engine for Liquid with a similar high-level API to Python Liquid.
 ## Quick Start

{python_liquid-2.0.2 → python_liquid-2.1.0}/liquid/__init__.py RENAMED Viewed

@@ -56,7 +56,7 @@ from .tag import Tag
 from . import future
-__version__ = "2.0.2"
+__version__ = "2.1.0"
 __all__ = (
     "AwareBoundTemplate",

{python_liquid-2.0.2 → python_liquid-2.1.0}/liquid/builtin/__init__.py RENAMED Viewed

@@ -21,6 +21,7 @@ from .filters.array import sort_natural
 from .filters.array import sum_
 from .filters.array import uniq
 from .filters.array import where
+from .filters.extra import escapejs
 from .filters.extra import safe
 from .filters.math import abs_
 from .filters.math import at_least
@@ -197,3 +198,4 @@ def register(env: Environment) -> None:  # noqa: PLR0915
     env.add_filter("date", date)
     env.add_filter("safe", safe)
+    env.add_filter("escapejs", escapejs)

python_liquid-2.1.0/liquid/builtin/filters/extra.py ADDED Viewed

@@ -0,0 +1,83 @@
+"""Filters that don't exist in the reference implementation."""
+from __future__ import annotations
+import re
+from typing import TYPE_CHECKING
+from liquid import Markup
+from liquid.filter import string_filter
+from liquid.filter import with_environment
+if TYPE_CHECKING:
+    from liquid import Environment
+@with_environment
+@string_filter
+def safe(val: str, *, environment: Environment) -> str:
+    """Return a copy of _val_ that will not be automatically HTML escaped on output."""
+    if environment.autoescape:
+        return Markup(val)
+    return val
+# `escapejs` is inspired by https://github.com/salesforce/secure-filters and Django's
+# escapejs filter, https://github.com/django/django/blob/485f483d49144a2ea5401442bc3b937a370b3ca6/django/utils/html.py#L63
+_ESCAPE_MAP = {
+    "\\": "\\u005C",
+    "'": "\\u0027",
+    '"': "\\u0022",
+    ">": "\\u003E",
+    "<": "\\u003C",
+    "&": "\\u0026",
+    "=": "\\u003D",
+    "-": "\\u002D",
+    ";": "\\u003B",
+    "`": "\\u0060",
+    "\u2028": "\\u2028",
+    "\u2029": "\\u2029",
+}
+_ESCAPE_MAP.update({chr(c): f"\\u{c:04X}" for c in range(32)})
+_ESCAPE_RE = re.compile("[" + re.escape("".join(_ESCAPE_MAP.keys())) + "]")
+@with_environment
+@string_filter
+def escapejs(val: str, *, environment: Environment) -> str:
+    """Escape characters for safe use in JavaScript string literals.
+    This filter escapes a string for embedding inside **JavaScript string
+    literals**, using either single or double quotes (e.g. `'...'` or `"..."`).
+    It replaces control characters and potentially dangerous symbols with
+    their corresponding Unicode escape sequences.
+    **Important:** This filter does **not** make strings safe for use in
+    JavaScript template literals (backtick strings), or in raw JavaScript
+    expressions. Use it only when placing data inside quoted JS strings
+    within inline `<script>` blocks or event handlers.
+    **Recommended alternatives:**
+        - Pass data using HTML `data-*` attributes and read them in JS via
+          `element.dataset`.
+        - For structured data, prefer a JSON-serialization approach using the
+          JSON filter.
+    Escaped characters include:
+        - ASCII control characters (U+0000 to U+001F)
+        - Characters like quotes, angle brackets, ampersands, equals signs
+        - Line/paragraph separators (U+2028, U+2029)
+    Args:
+        val: The input string to escape.
+        environment: The active Liquid environment
+    Returns:
+        A JavaScript-safe string, with problematic characters escaped as Unicode.
+    """
+    escaped = _ESCAPE_RE.sub(lambda m: _ESCAPE_MAP[m.group()], val)
+    if environment.autoescape:
+        return Markup(escaped)
+    return escaped

{python_liquid-2.0.2 → python_liquid-2.1.0}/liquid/builtin/filters/string.py RENAMED Viewed

@@ -56,7 +56,35 @@ def downcase(val: str) -> str:
 @with_environment
 @string_filter
 def escape(val: str, *, environment: Environment) -> str:
-    """Return _val_ with the characters &, < and > converted to HTML-safe sequences."""
+    """Escape special characters in a string for safe use in HTML.
+    This filter replaces the characters `&`, `<`, `>`, `'`, and `"` with their
+    corresponding HTML-safe sequences:
+        - `&` -> `&amp;`
+        - `<` -> `&lt;`
+        - `>` -> `&gt;`
+        - `'` -> `&#39;`
+        - `"` -> `&#34;`
+    This helps prevent HTML injection (XSS) when rendering untrusted content in
+    HTML element bodies or attributes.
+    Important: This filter does **not** make strings safe for use in JavaScript,
+    including in `<script>` blocks, inline event handler attributes (e.g. `onerror`),
+    or other JavaScript contexts. For those cases, use the `escapejs` filter instead.
+    When `autoescape` is enabled in the environment, this filter uses the same
+    escaping logic as the environment (via `markupsafe.escape()`). Otherwise, it
+    falls back to Python's standard `html.escape()`.
+    Args:
+        val: The input string to escape.
+        environment: The current rendering environment.
+    Returns:
+        A string with HTML-special characters replaced by safe escape sequences.
+    """
     if environment.autoescape:
         return markupsafe_escape(str(val))
     return html.escape(val)
@@ -65,10 +93,14 @@ def escape(val: str, *, environment: Environment) -> str:
 @with_environment
 @string_filter
 def escape_once(val: str, *, environment: Environment) -> str:
-    """Return _val_ with the characters &, < and > converted to HTML-safe sequences.
+    """Escape a string for HTML, but avoid double-escaping existing entities.
+    Converts characters like `&`, `<`, and `>` to their HTML-safe sequences,
+    but leaves existing HTML entities untouched (e.g., `&amp;` stays `&amp;`).
+    This is useful when escaping content that may already be partially escaped.
-    It is safe to use `escape_one` on string values that already contain HTML escape
-    sequences.
+    See the `escape` filter for details and limitations.
     """
     if environment.autoescape:
         return Markup(val).unescape()

{python_liquid-2.0.2 → python_liquid-2.1.0}/pyproject.toml RENAMED Viewed

@@ -214,6 +214,7 @@ ignore = [
   "PLR2004",
   "S704",
   "TC006",
+  "PLW1641",
 ]
 fixable = ["I", "SIM", "D202"]

python_liquid-2.0.2/liquid/builtin/filters/extra.py DELETED Viewed

@@ -1,21 +0,0 @@
-"""Filters that don't exist in the reference implementation."""
-from __future__ import annotations
-from typing import TYPE_CHECKING
-from liquid import Markup
-from liquid.filter import string_filter
-from liquid.filter import with_environment
-if TYPE_CHECKING:
-    from liquid import Environment
-@with_environment
-@string_filter
-def safe(val: str, *, environment: Environment) -> str:
-    """Return a copy of _val_ that will not be automatically HTML escaped on output."""
-    if environment.autoescape:
-        return Markup(val)
-    return val