Ticket #9111: form_escape.diff

File form_escape.diff, 4.8 KB (added by Jesse Young, 16 years ago)

conditional_escape for both field labels and errors

  • django/forms/forms.py

     
    55from copy import deepcopy
    66
    77from django.utils.datastructures import SortedDict
    8 from django.utils.html import escape
     8from django.utils.html import escape, conditional_escape
    99from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode
    1010from django.utils.safestring import mark_safe
    1111
     
    140140        output, hidden_fields = [], []
    141141        for name, field in self.fields.items():
    142142            bf = BoundField(self, field, name)
    143             bf_errors = self.error_class([escape(error) for error in bf.errors]) # Escape and cache in local variable.
     143            bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) # Escape and cache in local variable.
    144144            if bf.is_hidden:
    145145                if bf_errors:
    146146                    top_errors.extend([u'(Hidden field %s) %s' % (name, force_unicode(e)) for e in bf_errors])
     
    149149                if errors_on_separate_row and bf_errors:
    150150                    output.append(error_row % force_unicode(bf_errors))
    151151                if bf.label:
    152                     label = escape(force_unicode(bf.label))
     152                    label = conditional_escape(force_unicode(bf.label))
    153153                    # Only add the suffix if the label does not end in
    154154                    # punctuation.
    155155                    if self.label_suffix:
     
    395395
    396396        If attrs are given, they're used as HTML attributes on the <label> tag.
    397397        """
    398         contents = contents or escape(self.label)
     398        contents = contents or conditional_escape(self.label)
    399399        widget = self.field.widget
    400400        id_ = widget.attrs.get('id') or self.auto_id
    401401        if id_:

  • tests/regressiontests/forms/forms.py

     
    593593u'Yesterday'
    594594
    595595Validation errors are HTML-escaped when output as HTML.
     596>>> from django.utils.safestring import mark_safe
    596597>>> class EscapingForm(Form):
    597 ...     special_name = CharField()
     598...     special_name = CharField(label="<em>Special</em> Field")
     599...     special_safe_name = CharField(label=mark_safe("<em>Special</em> Field"))
    598600...     def clean_special_name(self):
    599601...         raise ValidationError("Something's wrong with '%s'" % self.cleaned_data['special_name'])
     602...     def clean_special_safe_name(self):
     603...         raise ValidationError(mark_safe("'<b>%s</b>' is a safe string" % self.cleaned_data['special_safe_name']))
    600604
    601 >>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False)
     605>>> f = EscapingForm({'special_name': "Nothing to escape", 'special_safe_name': "Nothing to escape"}, auto_id=False)
    602606>>> print f
    603 <tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr>
    604 >>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False)
     607<tr><th>&lt;em&gt;Special&lt;/em&gt; Field:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr>
     608<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b>Nothing to escape</b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="Nothing to escape" /></td></tr>
     609>>> f = EscapingForm(
     610...     {'special_name': "Should escape < & > and <script>alert('xss')</script>",
     611...     'special_safe_name': "<i>Do not escape</i>"}, auto_id=False)
    605612>>> print f
    606 <tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" /></td></tr>
     613<tr><th>&lt;em&gt;Special&lt;/em&gt; Field:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" /></td></tr>
     614<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b><i>Do not escape</i></b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="&lt;i&gt;Do not escape&lt;/i&gt;" /></td></tr>
    607615
    608616""" + \
    609617r""" # [This concatenation is to keep the string below the jython's 32K limit].
Back to Top