Opened 11 years ago
Closed 11 years ago
#21962 closed Cleanup/optimization (fixed)
Add a flag to ErrorDict.as_json() to escape html
| Reported by: | Tim Graham | Owned by: | vedran |
|---|---|---|---|
| Component: | Forms | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
from Marc Tamlyn:
Some use cases for ErrorDict.as_json() are:
- AJAX requests to a form view where the client interprets the response and puts errors into the page (so HTML escaping would be useful)
- Building an API which handles JSON. In this case HTML escaping is plain wrong.
In the first case, it is trivial using jQuery to ensure the text is escaped - simply use $(el).text(errorText) rather than .html() and jQuery will escape the HTML for you. We should document that the as_json() method does not not escape the result and can even reference the relevant jQuery method as an example for how to do this client-side.
from Shai Berger:
We should also probably add a flag for HTML escaping -- it is useful for a very common use-case of the method, and we shouldn't assume jQuery or any client-side library. While this is less than totally clean (and that, in itself, is reason enough not to escape HTML by default), practicality beats purity -- and adding such a flag will result in more secure Django-based sites.
Change History (4)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 11 years ago
| Has patch: | set |
|---|
comment:4 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Hi, submitted a pull request that adds the flag: https://github.com/django/django/pull/2320