Opened 7 years ago
Closed 7 years ago
#28902 closed Bug (fixed)
password_validators_help_text_html isn't marked as safe correctly
Reported by: | Ole Laursen | Owned by: | Alvin Lindstam |
---|---|---|---|
Component: | contrib.auth | Version: | 2.0 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Last lines say
help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts] return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
So in the last line it's throwing away the safe text information put in by format_html in the previous line.
The result is that if you output the help_text of django.contrib.auth.forms.PasswordChangeForm in a template, the HTML bullets are escaped (user sees HTML code instead of bullets). For some reason, I don't see this problem within the admin site, which is actually a bit worrying.
This seems to work instead:
formatted_help_items = format_html_join("", '<li>{}</li>', ((help_text,) for help_text in help_texts)) return format_html("<ul>{}</ul>", formatted_help_items) if formatted_help_items else ""
Change History (4)
comment:1 by , 7 years ago
Summary: | Formatting bug in django.contrib.auth.password_validation._password_validators_help_text_html → password_validators_help_text_html isn't marked as safe correctly |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 7 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 7 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Hope it's OK that I reassigned it, there's not been any activity for a month.
The bug doesn't manifest itself in the admin because those help_texts are marked as safe in the template (#25053).