Opened 13 years ago

Closed 7 years ago

#13978 closed New feature (wontfix)

Allow inline js/css in forms.Media

Reported by: Nathan Reynolds Owned by: Derek Payton
Component: Forms Version: dev
Severity: Normal Keywords: sprintdec2010
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

It's not possible to use the Media class for inline Javascript or CSS content, though this is often useful when bootstrapping external scripts.

Widgets can include inline content in their render method, but ModelAdmin's appear to be out of luck.

I've attached a patch to allow inline content, e.g:

    @property
    def media(self):
        return forms.Media(
            js=(forms.Media.Inline('alert("Test")'),),
            css={
                'all': (forms.Media.Inline('body { background: black }'),),
            }
        )

Attachments (3)

inlinemedia.diff (3.5 KB) - added by Nathan Reynolds 13 years ago.
Patch
0001-Allow-inline-JS-CSS-in-forms.Media-13978.patch (7.7 KB) - added by Derek Payton 11 years ago.
Updated patch for Django 1.5
13978-internal-media.patch (16.1 KB) - added by Derek Payton 11 years ago.

Download all attachments as: .zip

Change History (25)

Changed 13 years ago by Nathan Reynolds

Attachment: inlinemedia.diff added

Patch

comment:1 Changed 13 years ago by rafen

Owner: changed from nobody to rafen

comment:2 Changed 13 years ago by rafen

Owner: changed from rafen to nobody

comment:3 Changed 13 years ago by mariarchi

Needs documentation: set
Needs tests: set
Triage Stage: UnreviewedDesign decision needed

Needs tests and docs [and maybe design decision]

comment:4 Changed 13 years ago by Julien Phalip

Keywords: sprintdec2010 added
milestone: 1.3
Triage Stage: Design decision neededAccepted

This sounds like a really useful feature. You'd need to add some tests and documentation if you want it to have a chance of shipping with 1.3?

comment:5 Changed 13 years ago by Julien Phalip

milestone: 1.3

Too late for 1.3.

comment:6 Changed 13 years ago by Matthias Kestenholz

This is sort-of a duplicate of #11865. Not closing as a duplicate because this ticket covers inline CSS and JS, while #11865 only covers inline JS.

comment:7 Changed 13 years ago by Graham King

Severity: Normal
Type: New feature

comment:8 Changed 13 years ago by Julien Phalip

I went on and closed #11865 as a duplicate. I believe it's best to tackle both css and js at once to maintain some consistency.

Last edited 13 years ago by Julien Phalip (previous) (diff)

comment:9 Changed 12 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:10 Changed 12 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:11 Changed 11 years ago by Derek Payton

I've updated this patch for the latest Django. Assuming I were to write docs and a test, could this feasibly make it into 1.5?

Changed 11 years ago by Derek Payton

Updated patch for Django 1.5

comment:12 Changed 11 years ago by Derek Payton

I've updated with a patch that contains a first pass at docs and tests.

[15:44:41] derek @ pangolin in ~/dev/django/tests (git:feature/13978-inline-media)
± python runtests.py --settings=test_sqlite forms.FormsMediaTestCase
Creating test database for alias 'default'...
Creating test database for alias 'other'...
...............
----------------------------------------------------------------------
Ran 15 tests in 0.011s

OK
Destroying test database for alias 'default'...
Destroying test database for alias 'other'...

comment:13 Changed 11 years ago by Julien Phalip

Patch needs improvement: set

Thank you for the patch, it looks great! I just have a couple of comments.

Instead of having a single internal class Media.Inline, it'd be better to have two standalone (and global at the forms.widgets level) classes, one for JS and one for CSS. This way we could potentially later add extra features specific to either JS or CSS (e.g. to control the "media" attribute for the CSS code).

Also, I'm wondering if we could find a better name than "inline". My concerns are that it could be confused for the admin inlines, and that it could be confused for another type of inline code, e.g. <div style="color:#fff"/>. Maybe something like BlockJS, BlockCSS. Any suggestion for better names are welcome.

Thanks!

Changed 11 years ago by Derek Payton

Attachment: 13978-internal-media.patch added

comment:14 Changed 11 years ago by Derek Payton

Hi Julien,

Thanks for the feedback! I've added a new patch that switches naming from "inline" to "internal" and adds separate top-level classes for CSS and JS.

https://github.com/dmpayton/django/compare/dmpayton:master...dmpayton:feature/13978-internal-media

And, of course, the tests still pass:

[19:17:54] derek @ pangolin in ~/dev/django/tests (git:feature/13978-internal-media)
± python runtests.py --settings=test_sqlite forms.FormsMediaTestCase
Creating test database for alias 'default'...
Creating test database for alias 'other'...
...............
----------------------------------------------------------------------
Ran 15 tests in 0.011s

OK
Destroying test database for alias 'default'...
Destroying test database for alias 'other'...

Please let me know if there's anything else I can do.

Thanks!

comment:15 Changed 11 years ago by Julien Phalip

Thanks for the updated patch, Derek. We're past the beta so unfortunately this can't go in 1.5, but I'm definitely keen to push this forward ASAP to make sure it gets considered for 1.6. I'll try to review the patch in more detail soon.

Just one quick note in passing: I don't really like the term "Internal" as it's a little vague. I'll do more thinking about it and this can easily be modified in the final commit. In the meantime, any other suggestions are welcome.

Thanks again!

comment:16 Changed 11 years ago by Derek Payton

How do "EmbeddedCSS" and "EmbeddedJS" sound? Updated patch:

https://github.com/dmpayton/django/commit/a676b609004863dd726332df865b9ead7487767e

[Edit: updated URL]

Last edited 11 years ago by Derek Payton (previous) (diff)

comment:17 Changed 11 years ago by Derek Payton

Needs documentation: unset
Needs tests: unset
Owner: changed from nobody to Derek Payton
Status: newassigned

comment:18 Changed 11 years ago by Julien Phalip

Thanks for your work, Derek. The patch looks pretty good! I like the term "embedded" a lot more. Since it's a pretty important API addition I'll just seek more opinions on IRC, and then I'm hoping we can move forward with this soon.

comment:19 Changed 11 years ago by Julien Phalip

This ticket was brought on in IRC. A good point was made by @apollo13 that a new W3C policy is being worked on to discourage developers from using inline JS, in particular to prevent the risk of XSS: the Content Security Policy http://www.w3.org/TR/CSP/

While I do recognize the convenience of inline JS/CSS, this is an important question that needs more discussing, especially around whether Django core should allow this feature which seems to now go against recommended practices. At this point I'd recommend bringing this to the django-devs mailing list to gather more feedback.

comment:20 Changed 11 years ago by Derek Payton

comment:21 Changed 10 years ago by Aymeric Augustin

Related: #21987.

comment:22 Changed 7 years ago by Tim Graham

Resolution: wontfix
Status: assignedclosed

Closing as wontfix given the lack of activity/interest and because it isn't compatible with CSP.

Note: See TracTickets for help on using tickets.
Back to Top