Ticket #3510: escape-validation-errors.diff

File escape-validation-errors.diff, 2.2 KB (added by scott@…, 8 years ago)

Patch and test

  • django/newforms/forms.py

     
    113113        output, hidden_fields = [], []
    114114        for name, field in self.fields.items():
    115115            bf = BoundField(self, field, name)
    116             bf_errors = bf.errors # Cache in local variable.
     116            bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable.
    117117            if bf.is_hidden:
    118118                if bf_errors:
    119119                    top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors])
  • tests/regressiontests/forms/tests.py

     
    22172217>>> f.clean_data
    22182218{'composers': [u'J', u'P'], 'name': u'Yesterday'}
    22192219
     2220Validation errors are escaped when output to html
     2221>>> class EscapingForm(Form):
     2222...     special_name = CharField()
     2223...     def clean_special_name(self):
     2224...         special_name = self.clean_data['special_name']
     2225...         raise ValidationError("Something wrong with '%s'" % special_name)
     2226 
     2227>>> f = EscapingForm({'special_name': "Nothing to escape"})
     2228>>> print f
     2229<tr><th><label for="id_special_name">Special name:</label></th><td><ul class="errorlist"><li>Something wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" id="id_special_name" /></td></tr>
     2230>>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"})
     2231>>> print f
     2232<tr><th><label for="id_special_name">Special name:</label></th><td><ul class="errorlist"><li>Something wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" id="id_special_name" /></td></tr>
     2233
    22202234# Validating multiple fields in relation to another ###########################
    22212235
    22222236There are a couple of ways to do multiple-field validation. If you want the
Back to Top