Opened 18 months ago
Last modified 3 months ago
#34609 closed Cleanup/optimization
Deprecate format_html calls without args or kwargs — at Version 1
| Reported by: | Adam Johnson | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
In my experience, a common misuse of format_html is to format the HTML before calling it:
format_html(f"<i>{name}")
This makes it act like mark_safe, allowing data through without escaping. It provides a false sense of security since format_html is meant to be the "safe way".
I propose we deprecate calls to format_html that don’t pass args or kwargs, and eventually raise a TypeError for such cases.
(Following improvement to format_html docs in #34595.)
Note:
See TracTickets
for help on using tickets.