id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux
16157 Make sure that fields that are presented as single-line are validated as such tkolar nobody "This applies to fields like `CharField` that are presented as `` by default.
As a developer, it is easy to overlook the fact that it is nonetheless possible to submit multiline data to such a field, for instance by creating a custom form, or by manipulating the original form. If the assumption that entries for this field will always be single-line is erroneously made, this is a hard-to-find bug at best, and a vulnerability at worst.
My proposal is to add a validator (for instance `single_line`) that checks that an input value doesn't contain a newline, and to add it to all the fields that are presented as ``, and (optionally) to add a field option (for instance, `allow_multiline`) to override this behavior.
I'm proposing that this become part of django for the following reasons:
* If the user uses the default form field produced by such a field, they cannot enter a multiline value anyway, so my proposal fixes the problem that validation on the server is ""weaker"" than on the client.
* Although it's a corner case, this could, in fact, create actual vulnerabilities (Use case: a simple protocol that has DSV with the field as the last entry per line).
* People who want multiline will use `TextField` anyway. If someone out there has customized `CharField` to act like `TextField`, they need not complain if they have to fix that. For the other field types, ""no multiline"" is implicit on their respective validation (haven't checked, but if that isn't the case, that's arguable a bug in itself). Therefore, compatibility is not a problem.
I volunteer to write a patch that implements this if this ticket is accepted." New feature closed Forms dev Normal wontfix CharField multiline validator Accepted 0 0 0 0 0 0