Opened 16 years ago

Closed 16 years ago

Last modified 16 years ago

#9111 closed (fixed)

form error get escaped on _html_output even if it is a SafeString instance

Reported by: Michel Sabchuk Owned by: Karen Tracey
Component: Forms Version: 1.0
Severity: Keywords: form error escape safestring mark_safe
Cc: michelts@…, Jesse Young Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hi guys,

When I define a form and call it on a template like:

{{ form }}

The function as_table is called. The function calls _html_output to
render the widget, the errors and help messages. They are in django.forms.forms module.

The error is escaped with django.utils.html.escape function but I
think django.utils.html.conditional_escape should be used instead. This way,
if I pass a SafeString instance to a forms.ValidationError exception,
I can include html code on it.

This error isn't raised if I write a template like:

<div>{{ form.field.errors }}{{ form.field }}</div>

What about to change escape to conditional_escape in all the module? I can send a patch if you agree...

Best regards!

Attachments (3)

safestring-r9066.diff (1.1 KB ) - added by Ivan Giuliani 16 years ago.
safestring-tests-r9066.diff (2.3 KB ) - added by Ivan Giuliani 16 years ago.
form_escape.diff (4.8 KB ) - added by Jesse Young 16 years ago.
conditional_escape for both field labels and errors

Download all attachments as: .zip

Change History (11)

comment:1 by Michel Sabchuk, 16 years ago

Cc: michelts@… added

comment:2 by Malcolm Tredinnick, 16 years ago

Triage Stage: UnreviewedAccepted

This looks like a good change to make. Please also remember to include a test that fails beforehand and passes after the change. Probably the best place to put the test is in regressiontests/forms/forms.py.

by Ivan Giuliani, 16 years ago

Attachment: safestring-r9066.diff added

by Ivan Giuliani, 16 years ago

Attachment: safestring-tests-r9066.diff added

comment:3 by Ivan Giuliani, 16 years ago

Has patch: set

comment:4 by Ivan Giuliani, 16 years ago

Owner: changed from nobody to Ivan Giuliani

comment:5 by Jesse Young, 16 years ago

Cc: Jesse Young added

As I noted on http://groups.google.com/group/django-developers/browse_thread/thread/86fd952b0efc641e , mark_safe should also work on labels of form fields. I've updated the patch to also call conditional_escape on form labels, and added a regression test for that.

by Jesse Young, 16 years ago

Attachment: form_escape.diff added

conditional_escape for both field labels and errors

comment:6 by Karen Tracey, 16 years ago

Owner: changed from Ivan Giuliani to Karen Tracey
Status: newassigned

In the future please don't add additional unrelated fixes to existing tickets. This ticket was about escaping of errors, not labels -- fixing the label case should have gone into a different ticket to make things simpler when reviewing.

The errors part of this ticket overlaps a bit with #6160, which points out a different part of the code where error messages are not escaped. I'm going to deal with both together so that errors are consistently conditionally escaped.

comment:7 by Karen Tracey, 16 years ago

Resolution: fixed
Status: assignedclosed

(In [9365]) Fixed #6160, #9111 -- Consistently apply conditional_escape to form errors and labels when outputing them as HTML.

comment:8 by Karen Tracey, 16 years ago

(In [9366]) [1.0.X] Fixed #6160, #9111 -- Consistently apply conditional_escape to form errors and labels when outputing them as HTML.

[9365] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top