id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21962	Add a flag to ErrorDict.as_json() to escape html	Tim Graham	vedran	"from Marc Tamlyn:

Some use cases for `ErrorDict.as_json()` are:

* AJAX requests to a form view where the client interprets the response and puts errors into the page (so HTML escaping would be useful)
* Building an API which handles JSON. In this case HTML escaping is plain wrong.

In the first case, it is trivial using jQuery to ensure the text is escaped - simply use `$(el).text(errorText)` rather than `.html()` and jQuery will escape the HTML for you. We should document that the `as_json()` method does not not escape the result and can even reference the relevant jQuery method as an example for how to do this client-side.

from Shai Berger:

We should also probably add a flag for HTML escaping -- it is useful for a very common use-case of the method, and we shouldn't assume jQuery or any client-side library. While this is less than totally clean (and that, in itself, is reason enough not to escape HTML by default), practicality beats purity -- and adding such a flag will result in more secure Django-based sites."	Cleanup/optimization	closed	Forms	dev	Release blocker	fixed			Accepted	1	0	0	0	0	0