Opened 17 years ago
Closed 17 years ago
#5730 closed (fixed)
widgets not properly escaping content
Reported by: | Owned by: | anonymous | |
---|---|---|---|
Component: | Forms | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
RadioSelect widget does not escape label text correctly.
Example:
>>> from django.newforms import RadioSelect >>> r = RadioSelect() >>> print r.render('test', 'test', choices=(('test', '<em>must be escaped</em>'),)) <ul> <li><label><input checked="checked" type="radio" name="test" value="test" /> <em>must be escaped</em</label></li> </ul>
Attachments (2)
Change History (7)
by , 17 years ago
Attachment: | radioselect_escape_label.patch added |
---|
comment:1 by , 17 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 17 years ago
Needs tests: | set |
---|---|
Patch needs improvement: | set |
Triage Stage: | Unreviewed → Accepted |
Bug confirmed.
Current patch incorrectly removes the space between the radio item and the label. Apart from that, just needs a simple test and it's good to go.
comment:3 by , 17 years ago
Needs tests: | unset |
---|---|
Patch needs improvement: | unset |
Summary: | [patch] RadioSelect widget does not escape label text → widgets not properly escaping content |
Triage Stage: | Accepted → Ready for checkin |
In fact, this is a bigger issue than just RadioSelect. All widgets with choices
are displaying the same behaviour.
On top of that, widgets aren't using conditional_escape
so safe strings get double-escaped.
Patch with tests incoming...
by , 17 years ago
Attachment: | widget_escaping.diff added |
---|
comment:4 by , 17 years ago
For this patch, I have left the choice values (and opposed to labels) being hard-escaped because that brings up different issues for selecting the current choice.
comment:5 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
(In [6722]) Fixed #5730: Conditionally escape widget contents in newforms to avoid
inadvertent double-escaping. This still isn't perfect behaviour (since it's
unaware of the current context's auto-escaping setting), but that's a larger
problem that needs fixing and this change at least makes the existing
behaviour consistent. Patch from SmileyChris.
Escape label in RadioSelect widget