Opened 8 years ago

Closed 8 years ago

#5730 closed (fixed)

widgets not properly escaping content

Reported by: Densetsu no Ero-sennin <densetsu.no.ero.sennin@…> Owned by: anonymous
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

RadioSelect widget does not escape label text correctly.

Example:

>>> from django.newforms import RadioSelect
>>> r = RadioSelect()
>>> print r.render('test', 'test', choices=(('test', '<em>must be escaped</em>'),))
<ul>
<li><label><input checked="checked" type="radio" name="test" value="test" /> <em>must be escaped</em</label></li>
</ul>

Attachments (2)

radioselect_escape_label.patch (520 bytes) - added by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…> 8 years ago.
Escape label in RadioSelect widget
widget_escaping.diff (7.9 KB) - added by SmileyChris 8 years ago.

Download all attachments as: .zip

Change History (7)

Changed 8 years ago by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…>

Escape label in RadioSelect widget

comment:1 Changed 8 years ago by Densetsu no Ero-sennin <densetsu.no.ero.sennin@…>

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to anonymous
  • Patch needs improvement unset
  • Status changed from new to assigned

comment:2 Changed 8 years ago by SmileyChris

  • Needs tests set
  • Patch needs improvement set
  • Triage Stage changed from Unreviewed to Accepted

Bug confirmed.

Current patch incorrectly removes the space between the radio item and the label. Apart from that, just needs a simple test and it's good to go.

comment:3 Changed 8 years ago by SmileyChris

  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from [patch] RadioSelect widget does not escape label text to widgets not properly escaping content
  • Triage Stage changed from Accepted to Ready for checkin

In fact, this is a bigger issue than just RadioSelect. All widgets with choices are displaying the same behaviour.

On top of that, widgets aren't using conditional_escape so safe strings get double-escaped.

Patch with tests incoming...

Changed 8 years ago by SmileyChris

comment:4 Changed 8 years ago by SmileyChris

For this patch, I have left the choice values (and opposed to labels) being hard-escaped because that brings up different issues for selecting the current choice.

comment:5 Changed 8 years ago by mtredinnick

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6722]) Fixed #5730: Conditionally escape widget contents in newforms to avoid
inadvertent double-escaping. This still isn't perfect behaviour (since it's
unaware of the current context's auto-escaping setting), but that's a larger
problem that needs fixing and this change at least makes the existing
behaviour consistent. Patch from SmileyChris.

Note: See TracTickets for help on using tickets.
Back to Top