Code

Opened 7 years ago

Closed 7 years ago

#3510 closed (fixed)

Validation errors should be escaped for html

Reported by: scott@… Owned by: adrian
Component: Forms Version: master
Severity: Keywords: form validation escape
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I think validation error messages should be escaped when the form outputs html.

For example, in a custom clean method you might raise a ValidationError which includes the value the user input:

def clean_username(self):
    raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])

Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.

Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.

Attachments (1)

escape-validation-errors.diff (2.2 KB) - added by scott@… 7 years ago.
Patch and test

Download all attachments as: .zip

Change History (3)

Changed 7 years ago by scott@…

Patch and test

comment:1 Changed 7 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 7 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [4544]) Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@…

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.