Deprecate format_html calls without args or kwargs

[Adam Johnson]

In my experience, a common misuse of format_html is to format the HTML before calling it:

format_html(f"<i>{name}</i>")

This makes it act like mark_safe, allowing data through without escaping. It provides a false sense of security since format_html is meant to be the "safe way".

I propose we deprecate calls to format_html that don’t pass args or kwargs, and eventually raise a TypeError for such cases.

(Following improvement to format_html docs in #34595.)

[Bhuvnesh]

django/utils/html.py

@@ -100 +100 @@
     and call mark_safe() on the result. This function should be used instead
     of str.format or % interpolation to build up small HTML fragments.
     """
+    if not (args or kwargs):
+        raise TypeError("Arguments are missing.")
     args_safe = map(conditional_escape, args)
     kwargs_safe = {k: conditional_escape(v) for (k, v) in kwargs.items()}
     return mark_safe(format_string.format(*args_safe, **kwargs_safe))

tests/utils_tests/test_html.py

@@ -65 +65 @@
             "&lt; Dangerous &gt; <b>safe</b> &lt; dangerous again <i>safe again</i>",
         )
 
+    def test_format_html_no_args(self):
+        msg = "Arguments are missing."
+        with self.assertRaisesMessage(TypeError, msg):
+            self.assertEqual(
+                format_html(
+                    "<i>{name}</i>",
+                ),
+                "<i>Adam</i>",
+            )
+
     def test_linebreaks(self):
         items = (
             ("para1\n\npara2\r\rpara3", "<p>para1</p>\n\n<p>para2</p>\n\n<p>para3</p>"),

Are these changes relevant? I don't have much experience with templates, still a lot to learn .😅