Fix #1662: Avoid assigning arbitrary attributes to SafeString instances

Author: matthiask

debug_toolbar/panels/templates/views.py

@@ -3,7 +3,7 @@
 from django.template import Origin, TemplateDoesNotExist
 from django.template.engine import Engine
 from django.template.loader import render_to_string
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html, mark_safe
 
 from debug_toolbar.decorators import require_show_toolbar
 
@@ -50,12 +50,12 @@ def template_source(request):
         from pygments import highlight
         from pygments.formatters import HtmlFormatter
         from pygments.lexers import HtmlDjangoLexer
-
+    except ModuleNotFoundError:
+        source = format_html("<code>{}</code>", source)
+        pass
+    else:
         source = highlight(source, HtmlDjangoLexer(), HtmlFormatter())
         source = mark_safe(source)
-        source.pygmentized = True
-    except ImportError:
-        pass
 
     content = render_to_string(
         "debug_toolbar/panels/template_source.html",

debug_toolbar/templates/debug_toolbar/panels/template_source.html

@@ -5,10 +5,6 @@ <h3>{% trans "Template source:" %} <code>{{ template_name }}</code></h3>
 </div>
 <div class="djDebugPanelContent">
   <div class="djdt-scroll">
-    {% if not source.pygmentized %}
-      <code>{{ source }}</code>
-    {% else %}
-      {{ source }}
-    {% endif %}
+    {{ source }}
   </div>
 </div>