diff --git a/wagtail/wagtailadmin/blocks.py b/wagtail/wagtailadmin/blocks.py
index fcff0f9be..8424ee14f 100644
--- a/wagtail/wagtailadmin/blocks.py
+++ b/wagtail/wagtailadmin/blocks.py
@@ -19,6 +19,9 @@ from django.forms.utils import ErrorList
import six
+from wagtail.wagtailcore.utils import escape_script
+from wagtail.wagtailcore.rich_text import expand_db_html
+
# helpers for Javascript expression formatting
def indent(string, depth=1):
@@ -295,6 +298,14 @@ class CharBlock(FieldBlock):
# TODO: some kwargs, such as max_length, and *possibly* things like help_text, should be passed to
# the CharField constructor. Figure out a system for doing this
+class RichTextBlock(FieldBlock):
+ def __init__(self, **kwargs):
+ from wagtail.wagtailcore.fields import RichTextArea
+ super(RichTextBlock, self).__init__(CharField(widget=RichTextArea), **kwargs)
+
+ def render_basic(self, value):
+ return mark_safe('
' + expand_db_html(value) + '
')
+
# =======
# Chooser
# =======
@@ -520,7 +531,7 @@ class ListBlock(Block):
return format_html(
'',
- self.definition_prefix, list_member_html
+ self.definition_prefix, mark_safe(escape_script(list_member_html))
)
def js_initializer(self):
@@ -644,7 +655,7 @@ class BaseStreamBlock(Block):
(
self.definition_prefix,
name,
- self.render_list_member(name, child_block.default, '__PREFIX__', '')
+ mark_safe(escape_script(self.render_list_member(name, child_block.default, '__PREFIX__', '')))
)
for name, child_block in self.child_blocks.items()
]
diff --git a/wagtail/wagtailadmin/static/wagtailadmin/js/blocks/sequence.js b/wagtail/wagtailadmin/static/wagtailadmin/js/blocks/sequence.js
index 090154fc7..a1d107f97 100644
--- a/wagtail/wagtailadmin/static/wagtailadmin/js/blocks/sequence.js
+++ b/wagtail/wagtailadmin/static/wagtailadmin/js/blocks/sequence.js
@@ -80,11 +80,17 @@ For example, they don't assume the presence of a 'delete' button - it's up to th
newMember._markAdded();
}
+ function elementFromTemplate(template, newPrefix) {
+ /* generate a jquery object ready to be inserted into the list, based on the passed HTML template string.
+ '__PREFIX__' will be substituted with newPrefix, and script tags escaped as <-/script> will be un-escaped */
+ return $(template.replace(/__PREFIX__/g, newPrefix).replace(/<-(-*)\/script>/g, '<$1/script>'));
+ }
+
self.insertMemberBefore = function(otherMember, template) {
newMemberPrefix = getNewMemberPrefix();
/* Create the new list member element with the real prefix substituted in */
- var elem = $(template.replace(/__PREFIX__/g, newMemberPrefix));
+ var elem = elementFromTemplate(template, newMemberPrefix);
otherMember.container.before(elem);
var newMember = SequenceMember(self, newMemberPrefix);
var index = otherMember.getIndex();
@@ -105,7 +111,7 @@ For example, they don't assume the presence of a 'delete' button - it's up to th
newMemberPrefix = getNewMemberPrefix();
/* Create the new list member element with the real prefix substituted in */
- var elem = $(template.replace(/__PREFIX__/g, newMemberPrefix));
+ var elem = elementFromTemplate(template, newMemberPrefix);
otherMember.container.after(elem);
var newMember = SequenceMember(self, newMemberPrefix);
var index = otherMember.getIndex() + 1;
@@ -130,7 +136,7 @@ For example, they don't assume the presence of a 'delete' button - it's up to th
newMemberPrefix = getNewMemberPrefix();
/* Create the new list member element with the real prefix substituted in */
- var elem = $(template.replace(/__PREFIX__/g, newMemberPrefix));
+ var elem = elementFromTemplate(template, newMemberPrefix);
list.prepend(elem);
var newMember = SequenceMember(self, newMemberPrefix);
@@ -150,7 +156,7 @@ For example, they don't assume the presence of a 'delete' button - it's up to th
newMemberPrefix = getNewMemberPrefix();
/* Create the new list member element with the real prefix substituted in */
- var elem = $(template.replace(/__PREFIX__/g, newMemberPrefix));
+ var elem = elementFromTemplate(template, newMemberPrefix);
list.append(elem);
var newMember = SequenceMember(self, newMemberPrefix);
diff --git a/wagtail/wagtailadmin/templatetags/wagtailadmin_tags.py b/wagtail/wagtailadmin/templatetags/wagtailadmin_tags.py
index cb049d0e8..650e49f35 100644
--- a/wagtail/wagtailadmin/templatetags/wagtailadmin_tags.py
+++ b/wagtail/wagtailadmin/templatetags/wagtailadmin_tags.py
@@ -1,14 +1,12 @@
from __future__ import unicode_literals
-import re
-
from django.conf import settings
from django import template
from django.contrib.humanize.templatetags.humanize import intcomma
from wagtail.wagtailcore import hooks
from wagtail.wagtailcore.models import get_navigation_menu_items, UserPagePermissionsProxy, PageViewRestriction
-from wagtail.wagtailcore.utils import camelcase_to_underscore
+from wagtail.wagtailcore.utils import camelcase_to_underscore, escape_script
from wagtail.wagtailadmin.menu import admin_menu
@@ -136,7 +134,6 @@ def usage_count_enabled():
class EscapeScriptNode(template.Node):
TAG_NAME = 'escapescript'
- SCRIPT_RE = re.compile(r'<(-*)/script>')
def __init__(self, nodelist):
super(EscapeScriptNode, self).__init__()
@@ -144,8 +141,7 @@ class EscapeScriptNode(template.Node):
def render(self, context):
out = self.nodelist.render(context)
- escaped_out = self.SCRIPT_RE.sub(r'<-\1/script>', out)
- return escaped_out
+ return escape_script(out)
@classmethod
def handle(cls, parser, token):
diff --git a/wagtail/wagtailadmin/tests/test_blocks.py b/wagtail/wagtailadmin/tests/test_blocks.py
index 78c94bea9..2de2aeb5d 100644
--- a/wagtail/wagtailadmin/tests/test_blocks.py
+++ b/wagtail/wagtailadmin/tests/test_blocks.py
@@ -113,8 +113,8 @@ class TestStructBlock(unittest.TestCase):
def test_render(self):
class LinkBlock(blocks.StructBlock):
- title = blocks.FieldBlock(forms.CharField(label="Title"))
- link = blocks.FieldBlock(forms.URLField(label="Link"))
+ title = blocks.FieldBlock(forms.CharField())
+ link = blocks.FieldBlock(forms.URLField())
block = LinkBlock()
html = block.render({
@@ -127,6 +127,27 @@ class TestStructBlock(unittest.TestCase):
self.assertIn('