Opened 12 years ago

Closed 12 years ago

#6041 closed (wontfix)

help_text not escaped in _html_output

Reported by: Chris Beaven Owned by: nobody
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


Help text should be conditionally escaped.

Change History (6)

comment:1 Changed 12 years ago by Chris Beaven

Needs tests: set
Triage Stage: UnreviewedAccepted

comment:2 Changed 12 years ago by Malcolm Tredinnick

This is not trivial to do correctly at the moment. The problem is, we can't just pass it to conditional_escape() because that doesn't allow for the fact that the output might not require auto-escaping (e.g. if it is going into a template inside an "autoescape off" section).

At the moment, help_text is deliberately not escaped, since it's under the control of the developer and, for newforms, (unfortunately) the developer and designer have to work closely together in any case, so agreeing on auto-escaping settings is just part of that. Might be nice to make it smoother, but it will require more than just passing in the auto-escaping setting to _as_html(); every place we return HTML from newforms will need similar treatment.

comment:3 Changed 12 years ago by Chris Beaven

Maybe I'm not getting it still, but if you're using the _html_output method then you are going to get HTML output. If the help text in this HTML segment gets escaped, so what?

comment:4 Changed 12 years ago by Malcolm Tredinnick

For consistency we should only autoescape when autoescaping is enabled and calling escape() does the escaping too early. Since we support not using auto-escaping in templates, those people don't need to mark strings as safe, so we'll be double-escaping. We have to live with the shackles of providing semi-backwards-compatibility if we can. So I want to think about if there's a nice solution (which will also be applied throughout newforms). If I can't think of anything credible by the weekend, I'll drop in the six line patch I wrote for this today, but I want to think about it a bit first to see if there's a better solution.

comment:5 Changed 12 years ago by Chris Beaven

This isn't "auto escaping" though (in the new meaning of the word), just a change in functionality: to escape help_text (while still providing the ability to use help_text with html by using mark_safe).

I guess this is the point you're making, that it introduces the need to think about mark_safe for those trying to avoid thinking about it, but in this case it's not directly related to the template output, only changing the form's HTML output.

comment:6 Changed 12 years ago by Malcolm Tredinnick

Resolution: wontfix
Status: newclosed

So, we (Jacob, myself, James and Joseph K) talked about this and decided that help_text shouldn't be escaped. It's created by developers (not by website users) and, hence, the developers can get it correct in the first place. So help_text is to be inserted verbatim.

Note: See TracTickets for help on using tickets.
Back to Top