Opened 6 years ago
Closed 6 years ago
#28902 closed Bug (fixed)
password_validators_help_text_html isn't marked as safe correctly
| Reported by: | Ole Laursen | Owned by: | Alvin Lindstam |
|---|---|---|---|
| Component: | contrib.auth | Version: | 2.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
Last lines say
help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
So in the last line it's throwing away the safe text information put in by format_html in the previous line.
The result is that if you output the help_text of django.contrib.auth.forms.PasswordChangeForm in a template, the HTML bullets are escaped (user sees HTML code instead of bullets). For some reason, I don't see this problem within the admin site, which is actually a bit worrying.
This seems to work instead:
formatted_help_items = format_html_join("", '<li>{}</li>', ((help_text,) for help_text in help_texts))
return format_html("<ul>{}</ul>", formatted_help_items) if formatted_help_items else ""
Change History (4)
comment:1 by , 6 years ago
| Summary: | Formatting bug in django.contrib.auth.password_validation._password_validators_help_text_html → password_validators_help_text_html isn't marked as safe correctly |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 6 years ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
Hope it's OK that I reassigned it, there's not been any activity for a month.
Note:
See TracTickets
for help on using tickets.
The bug doesn't manifest itself in the admin because those help_texts are marked as safe in the template (#25053).