#28874 closed Bug (fixed)

Errors on hidden input fields print out double escaped HTML

Reported by: Kyle Agronick Owned by: Daniil Ryzhkov
Component: Template system Version: 1.11
Severity: Normal Keywords:
Cc: Daniil Ryzhkov Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: yes UI/UX: yes


Hidden input fields will print errors like "It\'s the thing &" as "(Hidden field test) It's the thing &". with HTML that is double escaped as

<ul class="errorlist nonfield">
    <li>(Hidden field test) It&amp;#39;s the thing &amp;amp;</li>

Using this code:


class TestForm(forms.Form):
    test = forms.CharField(widget=forms.HiddenInput(), required=False)
    foo = forms.CharField()

class StoreGroupDelete(FormView):
    form_class = TestForm
    template_name = 'test/test_delete.html'

    def form_valid(self, form):
        form.add_error('test', 'It\'s the thing &')
        return self.form_invalid(form)


        <form method="post">
            {% csrf_token %}
            {{ form.as_ul }}
            </ul><input type="submit" />

This only happens on hidden inputs. Regular fields work fine. This is on 1.11.7.

Change History (7)

comment:1 Changed 12 months ago by Daniil Ryzhkov

I was able to reproduce this behaviour and can confirm that this only happens for HiddenField. It works normally for CharField.

comment:2 Changed 12 months ago by Daniil Ryzhkov

I've checked Django code and it seems to be a django bug.
This line in django.forms.forms breaks affect of mark_safe:

According to git blame, this issue should should be reproducible in every django release for last 5 years:
I was able to fix this. I will write tests to cover this issue and submit my changes as PR on github.

comment:3 Changed 12 months ago by Daniil Ryzhkov

Cc: Daniil Ryzhkov added
Needs tests: set
Owner: changed from nobody to Daniil Ryzhkov
Status: newassigned
Triage Stage: UnreviewedAccepted

comment:4 Changed 12 months ago by Daniil Ryzhkov

Triage Stage: AcceptedReady for checkin
Last edited 12 months ago by Daniil Ryzhkov (previous) (diff)

comment:5 Changed 12 months ago by Simon Charette

Triage Stage: Ready for checkinAccepted

Please don't mark your own patch as RFC.

comment:6 Changed 12 months ago by Daniil Ryzhkov

Has patch: set

comment:7 Changed 12 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 7c7bc639:

Fixed #28874 -- Prevented double escaping of errors on hidden form fields.

Note: See TracTickets for help on using tickets.
Back to Top