Opened 17 years ago
Closed 17 years ago
#3510 closed (fixed)
Validation errors should be escaped for html
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Forms | Version: | dev |
| Severity: | Keywords: | form validation escape | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I think validation error messages should be escaped when the form outputs html.
For example, in a custom clean method you might raise a ValidationError which includes the value the user input:
def clean_username(self): raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])
Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.
Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.
Attachments (1)
Change History (3)
by , 17 years ago
| Attachment: | escape-validation-errors.diff added |
|---|
comment:1 by , 17 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
comment:2 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Patch and test