Context Navigation

← Previous Ticket
Next Ticket →

#34609 closed Cleanup/optimization (fixed)

Deprecate format_html calls without args or kwargs

Reported by:	Adam Johnson	Owned by:	Bhuvnesh
Component:	Utilities	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Michael Howitz)

In my experience, a common misuse of format_html is to format the HTML before calling it:

format_html(f"<i>{name}</i>")

This makes it act like mark_safe, allowing data through without escaping. It provides a false sense of security since format_html is meant to be the "safe way".

I propose we deprecate calls to format_html that don’t pass args or kwargs, and eventually raise a TypeError for such cases.

(Following improvement to format_html docs in #34595.)

Change History (11)

comment:1 by Adam Johnson, 11 months ago

Description:	modified (diff)

comment:2 by Mariusz Felisiak, 11 months ago

Triage Stage:	Unreviewed → Accepted

comment:3 by Bhuvnesh, 11 months ago

django/utils/html.py

diff --git a/django/utils/html.py b/django/utils/html.py
index c32a36fa93..b2a0c3d3db 100644

                def format_html(format_string, *args, **kwargs):
     and call mark_safe() on the result. This function should be used instead
     of str.format or % interpolation to build up small HTML fragments.
     """
+    if not (args or kwargs):
+        raise TypeError("Arguments are missing.")
     args_safe = map(conditional_escape, args)
     kwargs_safe = {k: conditional_escape(v) for (k, v) in kwargs.items()}
     return mark_safe(format_string.format(*args_safe, **kwargs_safe))

tests/utils_tests/test_html.py

diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index b7a7396075..c83fe7ddf6 100644

                class TestUtilsHtml(SimpleTestCase):
             "&lt; Dangerous &gt; <b>safe</b> &lt; dangerous again <i>safe again</i>",
+        )
+    def test_format_html_no_args(self):
+        msg = "Arguments are missing."
+        with self.assertRaisesMessage(TypeError, msg):
+            self.assertEqual(
+                format_html(
+                    "<i>{name}</i>",
+                ),
+                "<i>Adam</i>",
+            )
     def test_linebreaks(self):
         items = (
             ("para1\n\npara2\r\rpara3", "<p>para1</p>\n\n<p>para2</p>\n\n<p>para3</p>"),

Are these changes relevant? I don't have much experience with templates, still a lot to learn .😅

comment:4 by Bhuvnesh, 11 months ago

Owner:	changed from nobody to Bhuvnesh
Status:	new → assigned

comment:5 by Michael Howitz, 11 months ago

Description:	modified (diff)

comment:6 by Michael Howitz, 11 months ago

@Bhuvnesh The issues talks about deprecating that args resp. kwargs can be missing.
By raising an exception your suggested change make it impossible to call the function without these parameters. Maybe this is a bit too harsh.
See also https://docs.djangoproject.com/en/dev/internals/release-process/#internal-release-deprecation-policy for documentation how to deprecate a feature.

comment:7 by Bhuvnesh, 11 months ago

OK, so instead of TypeError I should raise a RemovedInDjango60Warning warning? It will raise warnings in v5.x and completely removed in v6.0 .

Last edited 11 months ago by Bhuvnesh (previous) (diff)

comment:8 by Bhuvnesh, 11 months ago

Has patch:	set

comment:9 by Mariusz Felisiak, 11 months ago

Needs documentation:	set

comment:10 by Mariusz Felisiak, 11 months ago

Needs documentation:	unset
Triage Stage:	Accepted → Ready for checkin

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 11 months ago

Resolution:	→ fixed
Status:	assigned → closed

In 094b0be:

Fixed #34609 -- Deprecated calling format_html() without arguments.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues