#9111 closed (fixed)
form error get escaped on _html_output even if it is a SafeString instance
Reported by: | Michel Sabchuk | Owned by: | Karen Tracey |
---|---|---|---|
Component: | Forms | Version: | 1.0 |
Severity: | Keywords: | form error escape safestring mark_safe | |
Cc: | michelts@…, Jesse Young | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Hi guys,
When I define a form and call it on a template like:
{{ form }}
The function as_table is called. The function calls _html_output to
render the widget, the errors and help messages. They are in django.forms.forms module.
The error is escaped with django.utils.html.escape function but I
think django.utils.html.conditional_escape should be used instead. This way,
if I pass a SafeString instance to a forms.ValidationError exception,
I can include html code on it.
This error isn't raised if I write a template like:
<div>{{ form.field.errors }}{{ form.field }}</div>
What about to change escape to conditional_escape in all the module? I can send a patch if you agree...
Best regards!
Attachments (3)
Change History (11)
comment:1 by , 16 years ago
Cc: | added |
---|
comment:2 by , 16 years ago
Triage Stage: | Unreviewed → Accepted |
---|
by , 16 years ago
Attachment: | safestring-r9066.diff added |
---|
by , 16 years ago
Attachment: | safestring-tests-r9066.diff added |
---|
comment:3 by , 16 years ago
Has patch: | set |
---|
comment:4 by , 16 years ago
Owner: | changed from | to
---|
comment:5 by , 16 years ago
Cc: | added |
---|
As I noted on http://groups.google.com/group/django-developers/browse_thread/thread/86fd952b0efc641e , mark_safe should also work on labels of form fields. I've updated the patch to also call conditional_escape on form labels, and added a regression test for that.
by , 16 years ago
Attachment: | form_escape.diff added |
---|
conditional_escape for both field labels and errors
comment:6 by , 16 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
In the future please don't add additional unrelated fixes to existing tickets. This ticket was about escaping of errors, not labels -- fixing the label case should have gone into a different ticket to make things simpler when reviewing.
The errors part of this ticket overlaps a bit with #6160, which points out a different part of the code where error messages are not escaped. I'm going to deal with both together so that errors are consistently conditionally escaped.
comment:7 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
This looks like a good change to make. Please also remember to include a test that fails beforehand and passes after the change. Probably the best place to put the test is in
regressiontests/forms/forms.py
.