fix: prevent context pollution

src/djangocms_snippet/templatetags/snippet_tags.py

@@ -82,31 +82,33 @@ def get_content_render(self, context, instance):
         """
         Render the snippet HTML, using a template if defined in its instance
         """
-        context.update(
-            {
-                "object": instance,
-            }
-        )
-        try:
-            if instance.template:
-                context.update({"html": mark_safe(instance.html)})
-                content = template.loader.render_to_string(
-                    instance.template,
-                    context.flatten(),
-                )
-            else:
-                t = template.Template(instance.html)
-                content = t.render(context)
-        except template.TemplateDoesNotExist:
-            content = _("Template %(template)s does not exist.") % {"template": instance.template}
-        except Exception as e:  # pragma: no cover
-            content = escape(str(e))
-            if self.parse_until:
-                # In case we are running 'exceptionless'
-                # Re-raise exception in order not to get the
-                # error rendered
-                raise
-        return content
+
+        # Create the data to push to the context all at once, including
+        # the 'html' if there's a template.
+        context_data = {"object": instance}
+        if instance.template:
+            context_data["html"] = mark_safe(instance.html)
+
+        with context.push(**context_data):
+            try:
+                if instance.template:
+                    content = template.loader.render_to_string(
+                        instance.template,
+                        context.flatten(),
+                    )
+                else:
+                    t = template.Template(instance.html)
+                    content = t.render(context)
+            except template.TemplateDoesNotExist:
+                content = _("Template %(template)s does not exist.") % {"template": instance.template}
+            except Exception as e:  # pragma: no cover
+                content = escape(str(e))
+                if self.parse_until:
+                    # In case we are running 'exceptionless'
+                    # Re-raise exception in order not to get the
+                    # error rendered
+                    raise
+            return content
 
 
 @register.tag(name="snippet_fragment")

tests/test_templatetags.py

@@ -90,3 +90,25 @@ def test_template_errors(self):
         with self.assertRaises(TemplateSyntaxError):
             # You need to specify at least a "snippet" ID, slug or instance
             template_to_render = Template("{% load snippet_tags %}{% snippet_fragment %}")
+
+    def test_context_pollution(self):
+        snippet = SnippetWithVersionFactory(
+            name="test snippet",
+            html="<p>Snippet content</p>",
+            slug="pollution_test",
+        )
+        snippet.versions.last().publish(user=self.get_superuser())
+
+        # Initialize context and capture the initial stack size. Since
+        # the Context is just a stack of dicts, by checking the length of
+        # the stack we ensure that every 'push' has a corresponding 'pop'.
+        og_object = "This should not change"
+        context = Context({"object": og_object})
+        initial_stack_len = len(context.dicts)
+
+        template_to_render = Template('{% load snippet_tags %}{% snippet_fragment "pollution_test" %} "{{ object }}"')
+        rendered_template = template_to_render.render(context)
+
+        self.assertIn(og_object, rendered_template)
+        self.assertEqual(context.get("object"), og_object)
+        self.assertEqual(len(context.dicts), initial_stack_len, "Context stack leaked")