Opened 11 years ago

Closed 11 years ago

#21962 closed Cleanup/optimization (fixed)

Add a flag to ErrorDict.as_json() to escape html

Reported by: Tim Graham Owned by: vedran
Component: Forms Version: dev
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

from Marc Tamlyn:

Some use cases for ErrorDict.as_json() are:

  • AJAX requests to a form view where the client interprets the response and puts errors into the page (so HTML escaping would be useful)
  • Building an API which handles JSON. In this case HTML escaping is plain wrong.

In the first case, it is trivial using jQuery to ensure the text is escaped - simply use $(el).text(errorText) rather than .html() and jQuery will escape the HTML for you. We should document that the as_json() method does not not escape the result and can even reference the relevant jQuery method as an example for how to do this client-side.

from Shai Berger:

We should also probably add a flag for HTML escaping -- it is useful for a very common use-case of the method, and we shouldn't assume jQuery or any client-side library. While this is less than totally clean (and that, in itself, is reason enough not to escape HTML by default), practicality beats purity -- and adding such a flag will result in more secure Django-based sites.

Change History (4)

comment:1 by vedran, 11 years ago

Hi, submitted a pull request that adds the flag: https://github.com/django/django/pull/2320

comment:2 by vedran, 11 years ago

Owner: changed from nobody to vedran
Status: newassigned

comment:3 by vedran, 11 years ago

Has patch: set

comment:4 by Tim Graham <timograham@…>, 11 years ago

Resolution: fixed
Status: assignedclosed

In c23b3717be71e4b2e5a32f156ef0a7b4703d012d:

Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()

Note: See TracTickets for help on using tickets.
Back to Top