Opened 13 months ago

Last modified 13 months ago

#34609 closed Cleanup/optimization

Deprecate format_html calls without args or kwargs — at Initial Version

Reported by: Adam Johnson Owned by: nobody
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In my experience, a common misuse of format_html is to format the HTML before calling it:

format_html(f"<i>{name}")

This makes it act like mark_safe, allowing data through without escaping. It provides a false sense of security since format_html is meant to be the "safe way".

I propose we deprecate calls to format_html that don’t pass args or kwargs, and eventually raise a TypeError for such cases.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top