#9111 closed (fixed)
form error get escaped on _html_output even if it is a SafeString instance
| Reported by: | Michel Sabchuk | Owned by: | Karen Tracey |
|---|---|---|---|
| Component: | Forms | Version: | 1.0 |
| Severity: | Keywords: | form error escape safestring mark_safe | |
| Cc: | michelts@…, Jesse Young | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi guys,
When I define a form and call it on a template like:
{{ form }}
The function as_table is called. The function calls _html_output to
render the widget, the errors and help messages. They are in django.forms.forms module.
The error is escaped with django.utils.html.escape function but I
think django.utils.html.conditional_escape should be used instead. This way,
if I pass a SafeString instance to a forms.ValidationError exception,
I can include html code on it.
This error isn't raised if I write a template like:
<div>{{ form.field.errors }}{{ form.field }}</div>
What about to change escape to conditional_escape in all the module? I can send a patch if you agree...
Best regards!
Attachments (3)
Change History (11)
comment:1 by , 17 years ago
| Cc: | added |
|---|
comment:2 by , 17 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
by , 17 years ago
| Attachment: | safestring-r9066.diff added |
|---|
by , 17 years ago
| Attachment: | safestring-tests-r9066.diff added |
|---|
comment:3 by , 17 years ago
| Has patch: | set |
|---|
comment:4 by , 17 years ago
| Owner: | changed from to |
|---|
comment:5 by , 17 years ago
| Cc: | added |
|---|
As I noted on http://groups.google.com/group/django-developers/browse_thread/thread/86fd952b0efc641e , mark_safe should also work on labels of form fields. I've updated the patch to also call conditional_escape on form labels, and added a regression test for that.
by , 17 years ago
| Attachment: | form_escape.diff added |
|---|
conditional_escape for both field labels and errors
comment:6 by , 17 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
In the future please don't add additional unrelated fixes to existing tickets. This ticket was about escaping of errors, not labels -- fixing the label case should have gone into a different ticket to make things simpler when reviewing.
The errors part of this ticket overlaps a bit with #6160, which points out a different part of the code where error messages are not escaped. I'm going to deal with both together so that errors are consistently conditionally escaped.
comment:7 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
This looks like a good change to make. Please also remember to include a test that fails beforehand and passes after the change. Probably the best place to put the test is in
regressiontests/forms/forms.py.