Fix #1662: Avoid assigning arbitrary attributes to SafeString instances (#1663)

matthiask · web-flow · commit f1c03eb8e599 · 2022-08-17T19:36:24.000+02:00
diff --git a/debug_toolbar/panels/templates/views.py b/debug_toolbar/panels/templates/views.py
@@ -3,7 +3,7 @@
 from django.template import Origin, TemplateDoesNotExist
 from django.template.engine import Engine
 from django.template.loader import render_to_string
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html, mark_safe
 
 from debug_toolbar.decorators import require_show_toolbar
 
@@ -50,12 +50,11 @@ def template_source(request):
         from pygments import highlight
         from pygments.formatters import HtmlFormatter
         from pygments.lexers import HtmlDjangoLexer
-
+    except ModuleNotFoundError:
+        source = format_html("<code>{}</code>", source)
+    else:
         source = highlight(source, HtmlDjangoLexer(), HtmlFormatter())
         source = mark_safe(source)
-        source.pygmentized = True
-    except ImportError:
-        pass
 
     content = render_to_string(
         "debug_toolbar/panels/template_source.html",
diff --git a/debug_toolbar/templates/debug_toolbar/panels/template_source.html b/debug_toolbar/templates/debug_toolbar/panels/template_source.html
@@ -5,10 +5,6 @@ <h3>{% trans "Template source:" %} <code>{{ template_name }}</code></h3>
 </div>
 <div class="djDebugPanelContent">
   <div class="djdt-scroll">
-    {% if not source.pygmentized %}
-      <code>{{ source }}</code>
-    {% else %}
-      {{ source }}
-    {% endif %}
+    {{ source }}
   </div>
 </div>
diff --git a/tox.ini b/tox.ini
@@ -17,6 +17,7 @@ deps =
     coverage
     Jinja2
     html5lib
+    pygments
     selenium
     sqlparse
 passenv=
