[1.1.X] Fixed #12070. Fixed a case where var._whatever wasn't raising a TemplateSyntaxError. Backport of r12539 from trunk.

jkocherhans · jkocherhans · commit f48cf954f80a · 2010-02-23T18:53:42.000Z
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@12540 bcc190cf-cafb-0310-a4f2-bffc1f526a37
diff --git a/django/template/__init__.py b/django/template/__init__.py
@@ -518,8 +518,6 @@ def __init__(self, token, parser):
                         var_obj = None
                 elif var is None:
                     raise TemplateSyntaxError("Could not find variable at start of %s." % token)
-                elif var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_':
-                    raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var)
                 else:
                     var_obj = Variable(var)
             else:
@@ -678,6 +676,8 @@ def __init__(self, var):
             except ValueError:
                 # Otherwise we'll set self.lookups so that resolve() knows we're
                 # dealing with a bonafide variable
+                if var.find(VARIABLE_ATTRIBUTE_SEPARATOR + '_') > -1 or var[0] == '_':
+                    raise TemplateSyntaxError("Variables and attributes may not begin with underscores: '%s'" % var)
                 self.lookups = tuple(var.split(VARIABLE_ATTRIBUTE_SEPARATOR))
 
     def resolve(self, context):
diff --git a/tests/regressiontests/templates/parser.py b/tests/regressiontests/templates/parser.py
@@ -27,6 +27,13 @@
 []
 >>> fe.var
 u'Some "Good" News'
+
+Filtered variables should reject access of attributes beginning with underscores.
+
+>>> FilterExpression('article._hidden|upper', p)
+Traceback (most recent call last):
+...
+TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden'
 """
 
 variable_parsing = r"""
@@ -56,4 +63,10 @@
 >>> Variable(ur"'Some \'Better\' News'").resolve(c)
 u"Some 'Better' News"
 
+Variables should reject access of attributes beginning with underscores.
+
+>>> Variable('article._hidden')
+Traceback (most recent call last):
+...
+TemplateSyntaxError: Variables and attributes may not begin with underscores: 'article._hidden'
 """
