Make sure that fields that are presented as single-line are validated as such
|Reported by:||tkolar||Owned by:||nobody|
|Severity:||Normal||Keywords:||CharField multiline validator|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This applies to fields like CharField that are presented as <input type="text"> by default.
As a developer, it is easy to overlook the fact that it is nonetheless possible to submit multiline data to such a field, for instance by creating a custom form, or by manipulating the original form. If the assumption that entries for this field will always be single-line is erroneously made, this is a hard-to-find bug at best, and a vulnerability at worst.
My proposal is to add a validator (for instance single_line) that checks that an input value doesn't contain a newline, and to add it to all the fields that are presented as <input type="text">, and (optionally) to add a field option (for instance, allow_multiline) to override this behavior.
I'm proposing that this become part of django for the following reasons:
- If the user uses the default form field produced by such a field, they cannot enter a multiline value anyway, so my proposal fixes the problem that validation on the server is "weaker" than on the client.
- Although it's a corner case, this could, in fact, create actual vulnerabilities (Use case: a simple protocol that has DSV with the field as the last entry per line).
- People who want multiline will use TextField anyway. If someone out there has customized CharField to act like TextField, they need not complain if they have to fix that. For the other field types, "no multiline" is implicit on their respective validation (haven't checked, but if that isn't the case, that's arguable a bug in itself). Therefore, compatibility is not a problem.
I volunteer to write a patch that implements this if this ticket is accepted.
Change History (3)
comment:1 Changed 5 years ago by melinath
- Component changed from Database layer (models, ORM) to Forms
- Needs documentation set
- Needs tests set
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted
- Type changed from Bug to New feature