Make sure that fields that are presented as single-line are validated as such
|Reported by:||tkolar||Owned by:||nobody|
|Severity:||Normal||Keywords:||CharField multiline validator|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This applies to fields like
CharField that are presented as
<input type="text"> by default.
As a developer, it is easy to overlook the fact that it is nonetheless possible to submit multiline data to such a field, for instance by creating a custom form, or by manipulating the original form. If the assumption that entries for this field will always be single-line is erroneously made, this is a hard-to-find bug at best, and a vulnerability at worst.
My proposal is to add a validator (for instance
single_line) that checks that an input value doesn't contain a newline, and to add it to all the fields that are presented as
<input type="text">, and (optionally) to add a field option (for instance,
allow_multiline) to override this behavior.
I'm proposing that this become part of django for the following reasons:
- If the user uses the default form field produced by such a field, they cannot enter a multiline value anyway, so my proposal fixes the problem that validation on the server is "weaker" than on the client.
- Although it's a corner case, this could, in fact, create actual vulnerabilities (Use case: a simple protocol that has DSV with the field as the last entry per line).
- People who want multiline will use
TextFieldanyway. If someone out there has customized
CharFieldto act like
TextField, they need not complain if they have to fix that. For the other field types, "no multiline" is implicit on their respective validation (haven't checked, but if that isn't the case, that's arguable a bug in itself). Therefore, compatibility is not a problem.
I volunteer to write a patch that implements this if this ticket is accepted.
Change History (3)
comment:1 Changed 5 years ago by
|Component:||Database layer (models, ORM) → Forms|
|Patch needs improvement:||unset|
|Triage Stage:||Unreviewed → Accepted|
|Type:||Bug → New feature|