5 files changed, 233 insertions(+), 14 deletions(-)

M docs/release_notes.rst
M wiki/forms.py
A wiki/static/wiki/js/urlify.js
M wiki/templates/wiki/create.html
M wiki/tests/test_views.py

@@ 39,6 39,8 @@ django-wiki 0.2 (dev)
  * Added Django 1.10 support #563
  * Security: Do not depend on markdown ``safe_mode``, instead use ``bleach``.
  * Fix duplicate search results when logged in #582 (duvholt)
+ * Do not allow slugs only consisting of numbers #558
+ * Copy in urlify.js and fix auto-population of slug field in Django 1.9+ #554
  * Fix memory leak in markdown extensions setting #564
  * Updated translations - Languages > 90% completed: Chinese (China), Portuguese (Brazil), Korean (Korea), French, Slovak, Spanish, Dutch, German, Russian, Finnish.
  * Taiwanese Chinese added (39% completed)

@@ 9,7 9,9 @@ from itertools import chain
 from django import forms
 from django.apps import apps
 from django.contrib.auth.forms import UserCreationForm
+from django.core import validators
 from django.core.urlresolvers import Resolver404, resolve
+from django.core.validators import RegexValidator
 from django.forms.widgets import HiddenInput
 from django.utils import timezone
 from django.utils.html import conditional_escape, escape


@@ 32,6 34,32 @@ except ImportError:
         return(x)
 
 
+validate_slug_numbers = RegexValidator(
+    r'^\d+$',
+    _("A 'slug' cannot consist solely of numbers."),
+    'invalid',
+    inverse_match=True
+)
+
+
+class WikiSlugField(forms.SlugField):
+    """
+    In future versions of Django, we might be able to define this field as
+    the default field directly on the model. For now, it's used in CreateForm.
+    """
+
+    default_validators = [validators.validate_slug, validate_slug_numbers]
+
+    def __init__(self, *args, **kwargs):
+        self.allow_unicode = kwargs.pop('allow_unicode', False)
+        if self.allow_unicode:
+            self.default_validators = [
+                validators.validate_unicode_slug,
+                validate_slug_numbers
+            ]
+        super(forms.SlugField, self).__init__(*args, **kwargs)
+
+
 User = get_user_model()
 Group = apps.get_model(settings.GROUP_MODEL)
 


@@ 313,7 341,7 @@ class CreateForm(forms.Form, SpamProtectionMixin):
         self.urlpath_parent = urlpath_parent
 
     title = forms.CharField(label=_('Title'),)
-    slug = forms.SlugField(
+    slug = WikiSlugField(
         label=_('Slug'),
         help_text=_(
             "This will be the address where your article can be found. Use only alphanumeric characters and - or _. Note that you cannot change the slug after creating the article."),

@@ 0,0 1,185 @@
+/*
+Patched version of Django's URLify since Django put everything into a protected
+namespace and hence we couldn't change its behavior from outside.
+*/
+/*global XRegExp*/
+(function() {
+    'use strict';
+
+    var LATIN_MAP = {
+        'À': 'A', 'Á': 'A', 'Â': 'A', 'Ã': 'A', 'Ä': 'A', 'Å': 'A', 'Æ': 'AE',
+        'Ç': 'C', 'È': 'E', 'É': 'E', 'Ê': 'E', 'Ë': 'E', 'Ì': 'I', 'Í': 'I',
+        'Î': 'I', 'Ï': 'I', 'Ð': 'D', 'Ñ': 'N', 'Ò': 'O', 'Ó': 'O', 'Ô': 'O',
+        'Õ': 'O', 'Ö': 'O', 'Ő': 'O', 'Ø': 'O', 'Ù': 'U', 'Ú': 'U', 'Û': 'U',
+        'Ü': 'U', 'Ű': 'U', 'Ý': 'Y', 'Þ': 'TH', 'Ÿ': 'Y', 'ß': 'ss', 'à ': 'a',
+        'á': 'a', 'â': 'a', 'ã': 'a', 'ä': 'a', 'å': 'a', 'æ': 'ae', 'ç': 'c',
+        'è': 'e', 'é': 'e', 'ê': 'e', 'ë': 'e', 'ì': 'i', 'í': 'i', 'î': 'i',
+        'ï': 'i', 'ð': 'd', 'ñ': 'n', 'ò': 'o', 'ó': 'o', 'ô': 'o', 'õ': 'o',
+        'ö': 'o', 'ő': 'o', 'ø': 'o', 'ù': 'u', 'ú': 'u', 'û': 'u', 'ü': 'u',
+        'ű': 'u', 'ý': 'y', 'þ': 'th', 'ÿ': 'y'
+    };
+    var LATIN_SYMBOLS_MAP = {
+        '©': '(c)'
+    };
+    var GREEK_MAP = {
+        'α': 'a', 'β': 'b', 'γ': 'g', 'δ': 'd', 'ε': 'e', 'ζ': 'z', 'η': 'h',
+        'θ': '8', 'ι': 'i', 'κ': 'k', 'λ': 'l', 'μ': 'm', 'ν': 'n', 'ξ': '3',
+        'ο': 'o', 'π': 'p', 'ρ': 'r', 'σ': 's', 'τ': 't', 'υ': 'y', 'φ': 'f',
+        'χ': 'x', 'ψ': 'ps', 'ω': 'w', 'ά': 'a', 'έ': 'e', 'ί': 'i', 'ό': 'o',
+        'ύ': 'y', 'ή': 'h', 'ώ': 'w', 'ς': 's', 'ϊ': 'i', 'ΰ': 'y', 'ϋ': 'y',
+        'ΐ': 'i', 'Α': 'A', 'Β': 'B', 'Γ': 'G', 'Δ': 'D', 'Ε': 'E', 'Ζ': 'Z',
+        'Η': 'H', 'Θ': '8', 'Ι': 'I', 'Κ': 'K', 'Λ': 'L', 'Μ': 'M', 'Ν': 'N',
+        'Ξ': '3', 'Ο': 'O', 'Π': 'P', 'Ρ': 'R', 'Σ': 'S', 'Τ': 'T', 'Υ': 'Y',
+        'Φ': 'F', 'Χ': 'X', 'Ψ': 'PS', 'Ω': 'W', 'Ά': 'A', 'Έ': 'E', 'Ί': 'I',
+        'Ό': 'O', 'Ύ': 'Y', 'Ή': 'H', 'Ώ': 'W', 'Ϊ': 'I', 'Ϋ': 'Y'
+    };
+    var TURKISH_MAP = {
+        'ş': 's', 'Ş': 'S', 'ı': 'i', 'İ': 'I', 'ç': 'c', 'Ç': 'C', 'ü': 'u',
+        'Ü': 'U', 'ö': 'o', 'Ö': 'O', 'ğ': 'g', 'Ğ': 'G'
+    };
+    var ROMANIAN_MAP = {
+        'ă': 'a', 'î': 'i', 'ș': 's', 'ț': 't', 'â': 'a',
+        'Ă': 'A', 'Î': 'I', 'Ș': 'S', 'Ț': 'T', 'Â': 'A'
+    };
+    var RUSSIAN_MAP = {
+        'а': 'a', 'б': 'b', 'в': 'v', 'г': 'g', 'д': 'd', 'е': 'e', 'ё': 'yo',
+        'ж': 'zh', 'з': 'z', 'и': 'i', 'й': 'j', 'к': 'k', 'л': 'l', 'м': 'm',
+        'н': 'n', 'о': 'o', 'п': 'p', 'р': 'r', 'с': 's', 'т': 't', 'у': 'u',
+        'ф': 'f', 'х': 'h', 'ц': 'c', 'ч': 'ch', 'ш': 'sh', 'щ': 'sh', 'ъ': '',
+        'ы': 'y', 'ь': '', 'э': 'e', 'ю': 'yu', 'я': 'ya',
+        'А': 'A', 'Б': 'B', 'В': 'V', 'Г': 'G', 'Д': 'D', 'Е': 'E', 'Ё': 'Yo',
+        'Ж': 'Zh', 'З': 'Z', 'И': 'I', 'Й': 'J', 'К': 'K', 'Л': 'L', 'М': 'M',
+        'Н': 'N', 'О': 'O', 'П': 'P', 'Р': 'R', 'С': 'S', 'Т': 'T', 'У': 'U',
+        'Ф': 'F', 'Х': 'H', 'Ц': 'C', 'Ч': 'Ch', 'Ш': 'Sh', 'Щ': 'Sh', 'Ъ': '',
+        'Ы': 'Y', 'Ь': '', 'Э': 'E', 'Ю': 'Yu', 'Я': 'Ya'
+    };
+    var UKRAINIAN_MAP = {
+        'Є': 'Ye', 'І': 'I', 'Ї': 'Yi', 'Ґ': 'G', 'є': 'ye', 'і': 'i',
+        'Ñ—': 'yi', 'Ò‘': 'g'
+    };
+    var CZECH_MAP = {
+        'č': 'c', 'ď': 'd', 'ě': 'e', 'ň': 'n', 'ř': 'r', 'š': 's', 'ť': 't',
+        'ů': 'u', 'ž': 'z', 'Č': 'C', 'Ď': 'D', 'Ě': 'E', 'Ň': 'N', 'Ř': 'R',
+        'Š': 'S', 'Ť': 'T', 'Ů': 'U', 'Ž': 'Z'
+    };
+    var POLISH_MAP = {
+        'ą': 'a', 'ć': 'c', 'ę': 'e', 'ł': 'l', 'ń': 'n', 'ó': 'o', 'ś': 's',
+        'ź': 'z', 'ż': 'z',
+        'Ą': 'A', 'Ć': 'C', 'Ę': 'E', 'Ł': 'L', 'Ń': 'N', 'Ó': 'O', 'Ś': 'S',
+        'Ź': 'Z', 'Ż': 'Z'
+    };
+    var LATVIAN_MAP = {
+        'ā': 'a', 'č': 'c', 'ē': 'e', 'ģ': 'g', 'ī': 'i', 'ķ': 'k', 'ļ': 'l',
+        'ņ': 'n', 'š': 's', 'ū': 'u', 'ž': 'z',
+        'Ā': 'A', 'Č': 'C', 'Ē': 'E', 'Ģ': 'G', 'Ī': 'I', 'Ķ': 'K', 'Ļ': 'L',
+        'Ņ': 'N', 'Š': 'S', 'Ū': 'U', 'Ž': 'Z'
+    };
+    var ARABIC_MAP = {
+        'أ': 'a', 'ب': 'b', 'ت': 't', 'ث': 'th', 'ج': 'g', 'ح': 'h', 'خ': 'kh', 'د': 'd',
+        'ذ': 'th', 'ر': 'r', 'ز': 'z', 'س': 's', 'ش': 'sh', 'ص': 's', 'ض': 'd', 'ط': 't',
+        'ظ': 'th', 'ع': 'aa', 'غ': 'gh', 'ف': 'f', 'ق': 'k', 'ك': 'k', 'ل': 'l', 'م': 'm',
+        'Ù†': 'n', 'Ù‡': 'h', 'Ùˆ': 'o', 'ÙŠ': 'y'
+    };
+    var LITHUANIAN_MAP = {
+        'ą': 'a', 'č': 'c', 'ę': 'e', 'ė': 'e', 'į': 'i', 'š': 's', 'ų': 'u',
+        'ū': 'u', 'ž': 'z',
+        'Ą': 'A', 'Č': 'C', 'Ę': 'E', 'Ė': 'E', 'Į': 'I', 'Š': 'S', 'Ų': 'U',
+        'Ū': 'U', 'Ž': 'Z'
+    };
+    var SERBIAN_MAP = {
+        'ђ': 'dj', 'ј': 'j', 'љ': 'lj', 'њ': 'nj', 'ћ': 'c', 'џ': 'dz',
+        'đ': 'dj', 'Ђ': 'Dj', 'Ј': 'j', 'Љ': 'Lj', 'Њ': 'Nj', 'Ћ': 'C',
+        'Џ': 'Dz', 'Đ': 'Dj'
+    };
+    var AZERBAIJANI_MAP = {
+        'ç': 'c', 'ə': 'e', 'ğ': 'g', 'ı': 'i', 'ö': 'o', 'ş': 's', 'ü': 'u',
+        'Ç': 'C', 'Ə': 'E', 'Ğ': 'G', 'İ': 'I', 'Ö': 'O', 'Ş': 'S', 'Ü': 'U'
+    };
+    var GEORGIAN_MAP = {
+        'ა': 'a', 'ბ': 'b', 'გ': 'g', 'დ': 'd', 'ე': 'e', 'ვ': 'v', 'ზ': 'z',
+        'თ': 't', 'ი': 'i', 'კ': 'k', 'ლ': 'l', 'მ': 'm', 'ნ': 'n', 'ო': 'o',
+        'პ': 'p', 'ჟ': 'j', 'რ': 'r', 'ს': 's', 'ტ': 't', 'უ': 'u', 'ფ': 'f',
+        'ქ': 'q', 'ღ': 'g', 'ყ': 'y', 'შ': 'sh', 'ჩ': 'ch', 'ც': 'c', 'ძ': 'dz',
+        'წ': 'w', 'ჭ': 'ch', 'ხ': 'x', 'ჯ': 'j', 'ჰ': 'h'
+    };
+
+    var ALL_DOWNCODE_MAPS = [
+        LATIN_MAP,
+        LATIN_SYMBOLS_MAP,
+        GREEK_MAP,
+        TURKISH_MAP,
+        ROMANIAN_MAP,
+        RUSSIAN_MAP,
+        UKRAINIAN_MAP,
+        CZECH_MAP,
+        POLISH_MAP,
+        LATVIAN_MAP,
+        ARABIC_MAP,
+        LITHUANIAN_MAP,
+        SERBIAN_MAP,
+        AZERBAIJANI_MAP,
+        GEORGIAN_MAP
+    ];
+
+    var Downcoder = {
+        'Initialize': function() {
+            if (Downcoder.map) {  // already made
+                return;
+            }
+            Downcoder.map = {};
+            Downcoder.chars = [];
+            for (var i = 0; i < ALL_DOWNCODE_MAPS.length; i++) {
+                var lookup = ALL_DOWNCODE_MAPS[i];
+                for (var c in lookup) {
+                    if (lookup.hasOwnProperty(c)) {
+                        Downcoder.map[c] = lookup[c];
+                    }
+                }
+            }
+            for (var k in Downcoder.map) {
+                if (Downcoder.map.hasOwnProperty(k)) {
+                    Downcoder.chars.push(k);
+                }
+            }
+            Downcoder.regex = new RegExp(Downcoder.chars.join('|'), 'g');
+        }
+    };
+
+    function downcode(slug) {
+        Downcoder.Initialize();
+        return slug.replace(Downcoder.regex, function(m) {
+            return Downcoder.map[m];
+        });
+    }
+
+
+    function URLify(s, num_chars, allowUnicode) {
+        // changes, e.g., "Petty theft" to "petty-theft"
+        // remove all these words from the string before urlifying
+        if (!allowUnicode) {
+            s = downcode(s);
+        }
+
+        /*
+        THIS IS THE PATCHED PART! We removed all the words and thus preserve
+        any "and", "the", "an" etc. in the slug.
+        */
+        var removelist = [];
+
+        var r = new RegExp('\\b(' + removelist.join('|') + ')\\b', 'gi');
+        s = s.replace(r, '');
+        // if downcode doesn't hit, the char will be stripped here
+        if (allowUnicode) {
+            // Keep Unicode letters including both lowercase and uppercase
+            // characters, whitespace, and dash; remove other characters.
+            s = XRegExp.replace(s, XRegExp('[^-_\\p{L}\\p{N}\\s]', 'g'), '');
+        } else {
+            s = s.replace(/[^-\w\s]/g, '');  // remove unneeded chars
+        }
+        s = s.replace(/^\s+|\s+$/g, '');   // trim leading/trailing spaces
+        s = s.replace(/[-\s]+/g, '-');     // convert spaces to hyphens
+        s = s.toLowerCase();               // convert to lowercase
+        return s.substring(0, num_chars);  // trim to first num_chars chars
+    }
+    window.URLify = URLify;
+})();

@@ 9,19 9,6 @@
   {% addtoblock "js" %}
   <script type="text/javascript" src="{% static "admin/js/urlify.js" %}"></script>
   <script type="text/javascript">
-  // Replacement of django's URLify that doesn't remove any words.
-  function URLify(s, num_chars) {
-      s = downcode(s);
-      removelist = [];
-      r = new RegExp('\\b(' + removelist.join('|') + ')\\b', 'gi');
-      s = s.replace(r, '');
-      // if downcode doesn't hit, the char will be stripped here
-      s = s.replace(/[^-\w\s]/g, '');  // remove unneeded chars
-      s = s.replace(/^\s+|\s+$/g, ''); // trim leading/trailing spaces
-      s = s.replace(/\s+/g, '_');      // convert whitespace to underscores
-      s = s.toLowerCase();             // convert to lowercase
-      return s.substring(0, num_chars);// trim to first num_chars chars
-  }
   {% if not create_form.slug.value %}
   //<![CDATA[
   (function($) {

@@ 3,7 3,9 @@ from __future__ import absolute_import, print_function, unicode_literals
 import pprint
 
 from django.contrib.auth import authenticate
+from django.utils.html import escape
 from wiki import models
+from wiki.forms import validate_slug_numbers
 from wiki.models import reverse
 
 from .base import ArticleWebTestBase, WebTestBase


@@ 154,6 156,21 @@ class CreateViewTest(ArticleWebTestBase):
             'Content'
         )  # on level 2')
 
+    def test_illegal_slug(self):
+
+        c = self.c
+
+        # A slug cannot be '123' because it gets confused with an article ID.
+        response = c.post(
+            reverse('wiki:create', kwargs={'path': ''}),
+            {'title': 'Illegal slug', 'slug': '123', 'content': 'blah'}
+        )
+        self.assertContains(
+            response,
+            escape(validate_slug_numbers.message)
+        )
+
+
 
 class DeleteViewTest(ArticleWebTestBase):