Forwardport of ae1d663b
from stable/1.8.x plus more.

This is a security fix; disclosure to follow shortly.

Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".

Refs #22267.

Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.

Also the unused, undocumented django.utils.html.strip_entities() function.

The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/

Also removed related utility functions:
* django.utils.html.fix_ampersands
* django.utils.html.clean_html

Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.

The idea is that if an object implements __html__ which returns a string this is
used as HTML representation (eg: on escaping). If the object is a str or unicode
subclass and returns itself the object is a safe string type.

This is an updated patch based on jbalogh and ivank patches.

Refs #20680.

The regex method used until now for the strip_tags utility is fast,
but subject to flaws and security issues. Consensus and good
practice lead use to use a slower but safer method.

Without this, the 'new' assertion methods are not present with
Python 2.6.

Refs #19237.

Thanks Pablo Recio for the report. Refs #19237.

The previous pattern didn't properly addressed cases where '>'
was present inside quoted tag content.

Patch by @jphalip updated to apply, documentation and release notes
added.

I've documented strip_tags as well as remove_tags as the difference
between the two wouldn't be immediately obvious.

They break Python 3.

Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.

Thanks to Nikolay for the report, and gav and aaugustin for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16118 bcc190cf-cafb-0310-a4f2-bffc1f526a37

Fixed #2986 -- Made the JavaScript code that drives related model instance addition in a popup window handle a model representation containing new lines. Also, moved the escapejs functionality yoo django.utils.html so it can be used from Python code. Thanks andrewwatts for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15131 bcc190cf-cafb-0310-a4f2-bffc1f526a37

A few test optimizations; using native unittest where no Django-specific TestCase features are required.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13935 bcc190cf-cafb-0310-a4f2-bffc1f526a37

git-svn-id: http://code.djangoproject.com/svn/django/trunk@13889 bcc190cf-cafb-0310-a4f2-bffc1f526a37