Opened 17 years ago

Closed 17 years ago

#3510 closed (fixed)

Validation errors should be escaped for html

Reported by: scott@… Owned by: Adrian Holovaty
Component: Forms Version: dev
Severity: Keywords: form validation escape
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


I think validation error messages should be escaped when the form outputs html.

For example, in a custom clean method you might raise a ValidationError which includes the value the user input:

def clean_username(self):
    raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])

Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.

Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.

Attachments (1)

escape-validation-errors.diff (2.2 KB ) - added by scott@… 17 years ago.
Patch and test

Download all attachments as: .zip

Change History (3)

by scott@…, 17 years ago

Patch and test

comment:1 by Chris Beaven, 17 years ago

Triage Stage: UnreviewedReady for checkin

comment:2 by Adrian Holovaty, 17 years ago

Resolution: fixed
Status: newclosed

(In [4544]) Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@…

Note: See TracTickets for help on using tickets.
Back to Top