Django

Code

Ticket #5730 (closed: fixed)

Opened 1 year ago

Last modified 9 months ago

widgets not properly escaping content

Reported by: Densetsu no Ero-sennin <densetsu.no.ero.sennin@gmail.com> Assigned to: anonymous
Milestone: Component: Forms
Version: SVN Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

RadioSelect? widget does not escape label text correctly.

Example: 

>>> from django.newforms import RadioSelect
>>> r = RadioSelect()
>>> print r.render('test', 'test', choices=(('test', '<em>must be escaped</em>'),))
<ul>
<li><label><input checked="checked" type="radio" name="test" value="test" /> <em>must be escaped</em</label></li>
</ul>

Attachments

radioselect_escape_label.patch (0.5 kB) - added by Densetsu no Ero-sennin <densetsu.no.ero.sennin@gmail.com> on 10/10/07 12:30:35.
Escape label in RadioSelect? widget
widget_escaping.diff (7.9 kB) - added by SmileyChris on 11/27/07 14:56:37.

Change History

10/10/07 12:30:35 changed by Densetsu no Ero-sennin <densetsu.no.ero.sennin@gmail.com>

  • attachment radioselect_escape_label.patch added.

Escape label in RadioSelect? widget

10/24/07 02:17:28 changed by Densetsu no Ero-sennin <densetsu.no.ero.sennin@gmail.com>

  • owner changed from nobody to anonymous.
  • needs_better_patch changed.
  • status changed from new to assigned.
  • needs_tests changed.
  • needs_docs changed.

11/27/07 13:53:54 changed by SmileyChris

  • needs_better_patch set to 1.
  • needs_tests set to 1.
  • stage changed from Unreviewed to Accepted.

Bug confirmed.

Current patch incorrectly removes the space between the radio item and the label. Apart from that, just needs a simple test and it's good to go.

11/27/07 14:56:01 changed by SmileyChris

  • needs_better_patch deleted.
  • summary changed from [patch] RadioSelect widget does not escape label text to widgets not properly escaping content.
  • needs_tests deleted.
  • stage changed from Accepted to Ready for checkin.

In fact, this is a bigger issue than just RadioSelect?. All widgets with choices are displaying the same behaviour.

On top of that, widgets aren't using conditional_escape so safe strings get double-escaped.

Patch with tests incoming...

11/27/07 14:56:37 changed by SmileyChris

  • attachment widget_escaping.diff added.

11/27/07 14:59:06 changed by SmileyChris

For this patch, I have left the choice values (and opposed to labels) being hard-escaped because that brings up different issues for selecting the current choice.

11/28/07 14:19:54 changed by mtredinnick

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [6722]) Fixed #5730: Conditionally escape widget contents in newforms to avoid inadvertent double-escaping. This still isn't perfect behaviour (since it's unaware of the current context's auto-escaping setting), but that's a larger problem that needs fixing and this change at least makes the existing behaviour consistent. Patch from SmileyChris?.

Add/Change #5730 (widgets not properly escaping content)




Change Properties
Action