Opened 19 months ago

Closed 19 months ago

Last modified 19 months ago

#34595 closed Cleanup/optimization (fixed)

format_html() should explicitly mention that format_string is not escaped and that result is safe

Reported by: Natalia Bidart Owned by: AP Jama
Component: Template system Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Natalia Bidart)

The docs for format_html mention that args and kwargs are escaped but it does not say anything about format_string (which is, in fact, not escaped). Readers could benefit from this clarification to avoid putting unsafe content in format_string.

Similarly, the docs could be extended to explicitly mention that the result is marked as safe. Mariusz suggested this text (thanks!):

The output has :func:`~django.utils.safestring.mark_safe` applied.

Change History (8)

comment:1 by Mariusz Felisiak, 19 months ago

Summary: `format_html` should explicitely mention rgar `format_string` is not escapedformat_html() should explicitely mention format_string is not escaped.
Triage Stage: UnreviewedAccepted

I'm not sure how format_html() could be useful with escaped format_string, however, a little clarification won't hurt.

comment:2 by Natalia Bidart, 19 months ago

Description: modified (diff)
Summary: format_html() should explicitely mention format_string is not escaped.format_html() should explicitely mention format_string is not escaped and that result is safe

comment:3 by Natalia Bidart, 19 months ago

Summary: format_html() should explicitely mention format_string is not escaped and that result is safeformat_html() should explicitly mention that format_string is not escaped and that result is safe

comment:4 by AP Jama, 19 months ago

Owner: changed from nobody to AP Jama
Status: newassigned

comment:5 by Mariusz Felisiak, 19 months ago

Has patch: set

PR

comment:6 by Mariusz Felisiak, 19 months ago

Triage Stage: AcceptedReady for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

Resolution: fixed
Status: assignedclosed

In 4037223d:

Fixed #34595 -- Doc'd that format_string arg of format_html() is not escaped.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 19 months ago

In dae052d:

[4.2.x] Fixed #34595 -- Doc'd that format_string arg of format_html() is not escaped.

Backport of 4037223d0f12c44ecd6f369ccbabcbd279a1bdbc from main

Note: See TracTickets for help on using tickets.
Back to Top