Opened 9 years ago

Closed 9 years ago

#3510 closed (fixed)

Validation errors should be escaped for html

Reported by: scott@… Owned by: adrian
Component: Forms Version: master
Severity: Keywords: form validation escape
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


I think validation error messages should be escaped when the form outputs html.

For example, in a custom clean method you might raise a ValidationError which includes the value the user input:

def clean_username(self):
    raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])

Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.

Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.

Attachments (1)

escape-validation-errors.diff (2.2 KB) - added by scott@… 9 years ago.
Patch and test

Download all attachments as: .zip

Change History (3)

Changed 9 years ago by scott@…

Patch and test

comment:1 Changed 9 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [4544]) Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@…

Note: See TracTickets for help on using tickets.
Back to Top