Opened 10 months ago

Closed 9 months ago

#28902 closed Bug (fixed)

password_validators_help_text_html isn't marked as safe correctly

Reported by: Ole Laursen Owned by: Alvin Lindstam
Component: contrib.auth Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Last lines say

    help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
    return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''

So in the last line it's throwing away the safe text information put in by format_html in the previous line.

The result is that if you output the help_text of django.contrib.auth.forms.PasswordChangeForm in a template, the HTML bullets are escaped (user sees HTML code instead of bullets). For some reason, I don't see this problem within the admin site, which is actually a bit worrying.

This seems to work instead:

    formatted_help_items = format_html_join("", '<li>{}</li>', ((help_text,) for help_text in help_texts))
    return format_html("<ul>{}</ul>", formatted_help_items) if formatted_help_items else ""

Change History (4)

comment:1 Changed 10 months ago by Tim Graham

Summary: Formatting bug in django.contrib.auth.password_validation._password_validators_help_text_htmlpassword_validators_help_text_html isn't marked as safe correctly
Triage Stage: UnreviewedAccepted

The bug doesn't manifest itself in the admin because those help_texts are marked as safe in the template (#25053).

comment:2 Changed 10 months ago by Mayank Modi

Owner: changed from nobody to Mayank Modi
Status: newassigned

comment:3 Changed 9 months ago by Alvin Lindstam

Has patch: set
Owner: changed from Mayank Modi to Alvin Lindstam

PR

Hope it's OK that I reassigned it, there's not been any activity for a month.

comment:4 Changed 9 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 2cb6b773:

Fixed #28902 -- Fixed password_validators_help_text_html() double escaping.

Note: See TracTickets for help on using tickets.
Back to Top