Opened 10 years ago

Closed 10 years ago

#3510 closed (fixed)

Validation errors should be escaped for html

Reported by: scott@… Owned by: Adrian Holovaty
Component: Forms Version: master
Severity: Keywords: form validation escape
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I think validation error messages should be escaped when the form outputs html.

For example, in a custom clean method you might raise a ValidationError which includes the value the user input:

def clean_username(self):
    raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])

Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.

Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.

Attachments (1)

escape-validation-errors.diff (2.2 KB) - added by scott@… 10 years ago.
Patch and test

Download all attachments as: .zip

Change History (3)

Changed 10 years ago by scott@…

Patch and test

comment:1 Changed 10 years ago by Chris Beaven

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedReady for checkin

comment:2 Changed 10 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [4544]) Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@…

Note: See TracTickets for help on using tickets.
Back to Top