Commit Graph

202 Commits

Author SHA1 Message Date
Luka Jeran
6ec6ddea9b
Avoid inline script execution for injecting CSRF token (#7016)
Scripts with type="application/json" or "text/plain" are not executed, so we can
use them to inject dynamic CSRF data, without allowing inline-script execution
in Content-Security-Policy.
2022-11-29 16:10:32 +00:00
Tom Christie
7b53960c3b
Revert "made Browsable API base template cachable: omit CSRF token when unnecessary (#7717)" (#7847)
This reverts commit 9c9ffb18f4.
2021-03-17 13:24:55 +00:00
Jesse London
9c9ffb18f4
made Browsable API base template cachable: omit CSRF token when unnecessary (#7717)
HTML responses generated by the Browsable API otherwise generate
inconsistent ETAGs -- due to the presence of CSRF tokens in the response
-- even when the API is read-only, (and as such when the response
contains no resource-modifying forms, i.e. neither POST nor PUT forms,
which might require the CSRF token).

While the template was appropriately including CSRF tokens only within
POST and PUT forms, its AJAX overlay included the CSRF token in *every*
response, regardless of whether it would be needed.

This change brings the logic of the `script` block into line with that
of the rest of the template -- and such that read-only APIs (and really
the Browsable API pages of *any* read-only resources) will not
needlessly include the CSRF token, and will now be safely cachable -- by
both back-end systems and by the user agent.
2021-03-16 13:25:21 +00:00
Cas Ebbers
393f867995
Overlooked translation in search.html (#7551) 2021-03-09 10:21:11 +00:00
Tom Christie
ae649336b1
Drop urlize_quoted_links (#7548) 2020-09-23 15:39:06 +01:00
Adam Johnson
410575dace
Replace all url() calls with path() or re_path() (#7512)
* url() is deprecated in Django 3.1

* update given feedbacks on url() is deprecated in Django 3.1

* Fix test_urlpatterns.py to continue testing mixed re_path() and path()

* Fix one missed reference

Co-authored-by: sanjusci <sanju.sci9@gmail.com>
2020-09-08 15:32:27 +01:00
Asif Saif Uddin
1260ed424a
jquery 3.5.1 (#7313)
* jquery 3.5.1
2020-05-11 13:08:40 +01:00
Greg Curtis
42fd179d4e upgrade jQuery to latest version (#6728) 2019-07-01 13:16:21 +01:00
Afnarel
67d2eabd6c Fix username in template for custom user models (#6612) 2019-05-01 17:23:23 -07:00
jeffrey k eliasen
eb3180173e Made templates compatible with session-based CSRF. (#6207) 2019-02-19 12:15:03 +01:00
Carlton Gibson
f54a220d8f
Corrected coreapi CLI code example generation. (#6428)
Remove “> “ when rendering template.
Closes #6333.
2019-01-31 11:36:40 +01:00
Andy Babic
87ade870c3 Added 'request_forms' block to base.html (#6340) 2019-01-24 16:30:46 +01:00
Yury V. Zaytsev
4bb9a3c484 Fix XSS caused by disabled autoescaping in the default DRF Browsable API view templates (#6330)
* Add test that verifies that HTML is correctly escaped in Browsable API views

* Fix `urlize_quoted_links` tag to avoid double escaping in autoescape mode

* Fix XSS in default DRF Browsable API template by re-enabling autoescape
2019-01-16 12:36:25 +00:00
HoangYell
b61806e3b3 add "js-tooltip" class to "POST" button (#6344)
the tool tip of "POST" button is different from other buttons, since it loses the "js-tooltip" class.
2018-12-03 12:10:05 +00:00
Jon Dufresne
878f9d2783 Prefer https:// for URLs when available throughout project (#6208) 2018-10-02 08:28:58 +02:00
Ryan P Kilby
f89cc066bc Admin renderer urls (#5988)
* Make admin detail link have small width

* Disable admin detail link when no URL

* Add 'AdminRenderer.get_result_url'

Attempts to reverse the result's detail view URL.
2018-07-06 10:58:26 +02:00
Ryan P Kilby
0148a9f8da Improvements to ViewSet extra actions (#5605)
* View suffix already set by initializer

* Add 'name' and 'description' attributes to ViewSet

ViewSets may now provide their `name` and `description` attributes
directly, instead of relying on view introspection to derive them.
These attributes may also be provided with the view's initkwargs.

The ViewSet `name` and `suffix` initkwargs are mutually exclusive.

The `action` decorator now provides the `name` and `description` to
the view's initkwargs. By default, these values are derived from the
method name and its docstring. The `name` may be overridden by providing
it as an argument to the decorator.

The `get_view_name` and `get_view_description` hooks now provide the
view instance to the handler, instead of the view class. The default
implementations of these handlers now respect the `name`/`description`.

* Add 'extra actions' to ViewSet & browsable APIs

* Update simple router tests

Removed old test logic around link/action decorators from `v2.3`. Also
simplified the test by making the results explicit instead of computed.

* Add method mapping to ViewSet actions

* Document extra action method mapping
2018-07-06 10:33:10 +02:00
Jimmy Merrild Krag
4260531b6c Render descriptions (from help_text) using safe (#5869)
To allow embedded HTML, and make consistent with other usages.

Fixes #5715.
2018-04-20 15:51:27 +02:00
Carlton Gibson
e34fd995cd
Made TemplateHTMLRenderer render IntegerField inputs when value is 0. (#5834)
* Fix 0 value IntegerField in TemplateHTMLRenderer

Signed-off-by: Nikhil Sheoran <nikhilsheoran96@gmail.com>

* Remove unnecessary `field.value != “”` check

* Adjust test case

Uses `vertical` templates only.
2018-02-16 16:48:20 +01:00
Carlton Gibson
7d0d22ffaa Use single copy of static assets. Update jQuery (#5823)
* Move font-awesome to top level.

* Use top-level jQuery & Bootstrap

* Update to jQuery v3.3.1

Compatible with Bootstrap v3.3.7
c.f. https://github.com/twbs/bootstrap/issues/16834#issuecomment-251996660

* Re-add bootstrap-theme
2018-02-12 14:14:44 +00:00
Jon Dufresne
052a20cd7b Load 'static' instead of 'staticfiles' in templates (#5773) 2018-01-26 00:43:55 -05:00
Carlton Gibson
a540acdc95
Allowed customising API documentation code samples (#5752)
* Allowed additional languages in API documentation

* Documented renderer_classes parameter and customising languages.
2018-01-25 09:39:03 +01:00
Ryan P Kilby
b7ed645927 Disable HTML inputs for dict/list fields (#5702) 2018-01-02 10:50:49 +01:00
Éric Araujo
265375c104 add missing template change for #5584 (#5587) 2017-11-11 08:43:00 +01:00
Jon Dufresne
f9c67f04d4 Clean up all whitespace throughout project (#5578)
* Remove trailing whitespace from lines
* Remove trailing nad leading whitespace from files

Allows for cleaner diffs in future changes. For editors that
automatically clean up whitespace on save, will avoid unrelated line
changes in diffs.
2017-11-09 20:57:53 +01:00
Carlton Gibson
565c722762
Add interactive docs error template (#5548) 2017-11-06 09:04:07 +01:00
Carlton Gibson
d8da6bb29b Update coreapi JS to 0.1.1 (#5479)
Ref #5059
2017-10-05 13:40:28 +02:00
Carlton Gibson
dc4a98fbe8 Fix documentation data rendering (#5472)
* Add failing test for #5395

* Add data filter for use in templates

Closes #5395

* Fix isort
2017-10-02 13:26:44 +02:00
Ryan P Kilby
018e43e908 Remove old django-filter templates (#5465) 2017-09-29 15:42:24 +01:00
Daniel Hahler
e389336ad7 docs/link.html: fix/remove undefined template var "schema" 2017-08-21 14:47:43 +02:00
Woile
11bc1fe282 Fix JS data binding 2017-08-17 12:33:59 +02:00
Woile
ed38371c3a Fix docs multiple nested and multiple methods 2017-08-15 16:59:50 +02:00
Tom Christie
c7e2bad524 Merge pull request #5189 from myrubapa/master
Fix API documentation templates do not check for user authentication #5162
2017-07-10 10:28:33 +01:00
Pierre Sassoulas
903ef4917a Feat - Added aria-label and a new region for accessibility purpose
Navigating the page with a reader is easier is there is aria-label
and region.

https://www.w3.org/WAI/
2017-06-02 09:49:00 +02:00
Bekhzod Tillakhanov
c96fa224c7 Fix ul inner li 2017-05-30 00:29:11 +05:00
Bekhzod Tillakhanov
84e22cc2f3 Scheme fix when unauth and Flask8 lint fix 2017-05-30 00:15:07 +05:00
Tom Christie
e8ff5e268b Javascript fixes for API docs 2017-05-12 16:48:53 +01:00
José Padilla
d8507d3f9c
Move bootstrap modal data attrs to anchor 2017-03-17 21:44:11 -04:00
Jeff Johnson
323f59091c add content block and breadcrumbs_empty block to allow base.html to be reused 2017-03-16 09:03:45 -04:00
Tom Christie
0173e9bd21 Use 'items' templatetag throughout. 2017-03-13 12:35:19 +00:00
Kedar
9e62bc51ec Update coreapi.js version 2017-03-11 11:19:26 +05:30
Tom Christie
7a8fb262f2 Fallback to more widely supported JS feature sets. (#4961) 2017-03-10 12:07:15 +00:00
Tom Christie
52db57a6e7 Version 3.6 (#4943) 2017-03-09 14:49:51 +00:00
Tom Christie
68d2020112 Live API documentation (#4755) 2017-03-03 15:24:37 +00:00
Tim Watts
8df340908b Add failing tests and fix for dict that have a key items #4931 (#4932) 2017-03-03 09:23:09 +00:00
Ekwenugo Mirabel
217a81f19b Use correct label for username field in login template (#4841) 2017-01-24 09:07:32 +00:00
James Beith
befacfb00d Add autofocus support for input.html templates (#4650)
This change adds support to use `'autofocus': True` in the style options and have the `autofocus` attribute included on the input field when rendered.
2016-11-07 11:34:53 +00:00
Alex Kahan
895c67c9a2 Fixes #4532 (#4636) 2016-10-31 20:41:54 +00:00
Tanner Hobson
fe4c4fa751 Fix indentation regression in API listing (#4493)
In commit 5392be4ddb, there was a change
made when cleaning up the template for the API listing that caused 2
spaces to appear before every header item (except the first) and before
the first line of the body of the response. This meant that it often
looked like:

HTTP 200 OK
  Allow: GET, OPTIONS
  Content-Type: application/json
  Vary: Accept

  {
    "key": "value",
    "key2": "value2"
}

This change removes those leading spaces, so that it will now look like:

HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "key": "value",
    "key2": "value2"
}
2016-09-17 03:09:49 +01:00
José Padilla
6b6f319509 Add missing comma (#4473) 2016-09-08 14:01:26 +01:00