BoundField.label_tag now always escapes its `contents` parameter.
|Reported by:||Baptiste Mispelon||Owned by:||Baptiste Mispelon|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This behavior changed between 1.4 and 1.5:
class FooForm(forms.Form): foo = forms.CharField() print FooForm().foo.label_tag('<asdf>')
In 1.4, the output of the previous code was this:
In 1.5, we get this:
This was changed by commit a92e7f37c4ae84b6b8d8016cc6783211e9047219.
I think the original intention was to not escape the content if it was provided, as indicated by the first line of the method (https://github.com/django/django/blob/master/django/forms/forms.py#L522):
contents = contents or conditional_escape(self.label)
This conditional escape is rendered moot by the use of
format_html later on (introduced by the commit I linked above), which escapes everything anyway.
Change History (6)
comment:1 Changed 4 years ago by
|Component:||Forms → Documentation|
|Patch needs improvement:||unset|
comment:3 Changed 4 years ago by
|Severity:||Normal → Release blocker|
|Triage Stage:||Ready for checkin → Accepted|