Opened 7 days ago

Last modified 6 days ago

#28902 assigned Bug

password_validators_help_text_html isn't marked as safe correctly

Reported by: Ole Laursen Owned by: Mayank Modi
Component: contrib.auth Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Last lines say

    help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
    return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''

So in the last line it's throwing away the safe text information put in by format_html in the previous line.

The result is that if you output the help_text of django.contrib.auth.forms.PasswordChangeForm in a template, the HTML bullets are escaped (user sees HTML code instead of bullets). For some reason, I don't see this problem within the admin site, which is actually a bit worrying.

This seems to work instead:

    formatted_help_items = format_html_join("", '<li>{}</li>', ((help_text,) for help_text in help_texts))
    return format_html("<ul>{}</ul>", formatted_help_items) if formatted_help_items else ""

Change History (2)

comment:1 Changed 7 days ago by Tim Graham

Summary: Formatting bug in django.contrib.auth.password_validation._password_validators_help_text_htmlpassword_validators_help_text_html isn't marked as safe correctly
Triage Stage: UnreviewedAccepted

The bug doesn't manifest itself in the admin because those help_texts are marked as safe in the template (#25053).

comment:2 Changed 6 days ago by Mayank Modi

Owner: changed from nobody to Mayank Modi
Status: newassigned
Note: See TracTickets for help on using tickets.
Back to Top