Context Navigation

← Previous Ticket
Next Ticket →

#5730 closed (fixed)

widgets not properly escaping content

Reported by:	Densetsu no Ero-sennin <densetsu.no.ero.sennin@…>	Owned by:	anonymous
Component:	Forms	Version:	dev
Severity:		Keywords:
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

RadioSelect widget does not escape label text correctly.

Example:

>>> from django.newforms import RadioSelect
>>> r = RadioSelect()
>>> print r.render('test', 'test', choices=(('test', '<em>must be escaped</em>'),))
<ul>
<li><label><input checked="checked" type="radio" name="test" value="test" /> <em>must be escaped</em</label></li>
</ul>

Attachments (2)

radioselect_escape_label.patch (520 bytes ) - added by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…> 17 years ago.: Escape label in RadioSelect widget
widget_escaping.diff (7.9 KB ) - added by Chris Beaven 16 years ago.

Download all attachments as: .zip

Change History (7)

by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…>, 17 years ago

Attachment:	radioselect_escape_label.patch added

Escape label in RadioSelect widget

comment:1 by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…>, 17 years ago

Owner:	changed from nobody to anonymous
Status:	new → assigned

comment:2 by Chris Beaven, 16 years ago

Needs tests:	set
Patch needs improvement:	set
Triage Stage:	Unreviewed → Accepted

Bug confirmed.

Current patch incorrectly removes the space between the radio item and the label. Apart from that, just needs a simple test and it's good to go.

comment:3 by Chris Beaven, 16 years ago

Needs tests:	unset
Patch needs improvement:	unset
Summary:	[patch] RadioSelect widget does not escape label text → widgets not properly escaping content
Triage Stage:	Accepted → Ready for checkin

In fact, this is a bigger issue than just RadioSelect. All widgets with choices are displaying the same behaviour.

On top of that, widgets aren't using conditional_escape so safe strings get double-escaped.

Patch with tests incoming...

by Chris Beaven, 16 years ago

Attachment:	widget_escaping.diff added

comment:4 by Chris Beaven, 16 years ago

For this patch, I have left the choice values (and opposed to labels) being hard-escaped because that brings up different issues for selecting the current choice.

comment:5 by Malcolm Tredinnick, 16 years ago

Resolution:	→ fixed
Status:	assigned → closed

(In [6722]) Fixed #5730: Conditionally escape widget contents in newforms to avoid
inadvertent double-escaping. This still isn't perfect behaviour (since it's
unaware of the current context's auto-escaping setting), but that's a larger
problem that needs fixing and this change at least makes the existing
behaviour consistent. Patch from SmileyChris.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues