Opened 17 years ago

Closed 17 years ago

#6041 closed (wontfix)

help_text not escaped in _html_output

Reported by: Chris Beaven Owned by: nobody
Component: Forms Version: dev
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Help text should be conditionally escaped.

Change History (6)

comment:1 by Chris Beaven, 17 years ago

Needs tests: set
Triage Stage: UnreviewedAccepted

comment:2 by Malcolm Tredinnick, 17 years ago

This is not trivial to do correctly at the moment. The problem is, we can't just pass it to conditional_escape() because that doesn't allow for the fact that the output might not require auto-escaping (e.g. if it is going into a template inside an "autoescape off" section).

At the moment, help_text is deliberately not escaped, since it's under the control of the developer and, for newforms, (unfortunately) the developer and designer have to work closely together in any case, so agreeing on auto-escaping settings is just part of that. Might be nice to make it smoother, but it will require more than just passing in the auto-escaping setting to _as_html(); every place we return HTML from newforms will need similar treatment.

comment:3 by Chris Beaven, 17 years ago

Maybe I'm not getting it still, but if you're using the _html_output method then you are going to get HTML output. If the help text in this HTML segment gets escaped, so what?

comment:4 by Malcolm Tredinnick, 17 years ago

For consistency we should only autoescape when autoescaping is enabled and calling escape() does the escaping too early. Since we support not using auto-escaping in templates, those people don't need to mark strings as safe, so we'll be double-escaping. We have to live with the shackles of providing semi-backwards-compatibility if we can. So I want to think about if there's a nice solution (which will also be applied throughout newforms). If I can't think of anything credible by the weekend, I'll drop in the six line patch I wrote for this today, but I want to think about it a bit first to see if there's a better solution.

comment:5 by Chris Beaven, 17 years ago

This isn't "auto escaping" though (in the new meaning of the word), just a change in functionality: to escape help_text (while still providing the ability to use help_text with html by using mark_safe).

I guess this is the point you're making, that it introduces the need to think about mark_safe for those trying to avoid thinking about it, but in this case it's not directly related to the template output, only changing the form's HTML output.

comment:6 by Malcolm Tredinnick, 17 years ago

Resolution: wontfix
Status: newclosed

So, we (Jacob, myself, James and Joseph K) talked about this and decided that help_text shouldn't be escaped. It's created by developers (not by website users) and, hence, the developers can get it correct in the first place. So help_text is to be inserted verbatim.

Note: See TracTickets for help on using tickets.
Back to Top