#6283 closed New feature (fixed)
NewForms labels are not conditionally escaped
Reported by: | Paul Hummer | Owned by: | Paul Hummer |
---|---|---|---|
Component: | Forms | Version: | dev |
Severity: | Normal | Keywords: | html escape easy-pickings |
Cc: | Paul Hummer | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
Consider the following code:
required = '<span class="required">*</span>'required = '<span class="required">*</span>' class FooForm(forms.Form): email = forms.EmailField(label='%sEmail Address' % required) username = forms.CharField(label='%sUsername' % required) password = forms.CharField(label='%sPassword' % required, widget=forms.PasswordInput) password2 = forms.CharField(label='%sPassword (Again)' % required, widget=forms.PasswordInput) firstname = forms.CharField(label='First Name') lastname = forms.CharField(label='Last Name')
The labels are currently being escaped. Considering that the labels are usually developer/designer created instead of user created, it's probably safe to assume that most times, they are safe from XSS attacks.
Attachments (2)
Change History (15)
by , 17 years ago
Attachment: | forms.patch added |
---|
comment:1 by , 17 years ago
Owner: | changed from | to
---|
comment:2 by , 17 years ago
Status: | new → assigned |
---|
comment:3 by , 17 years ago
Needs tests: | set |
---|---|
Patch needs improvement: | set |
Summary: | NewForms labels are not marked as safe → NewForms labels are not conditionally escaped |
Triage Stage: | Unreviewed → Accepted |
The conditional_escape
-ing is good, but it shouldn't be marked safe by default. People (like you) can do that in your models if you need it.
comment:5 by , 17 years ago
Wow, I guess I haven't been getting email notifications. Came back because the bug still manifests itself, and it's my fault! Submitted a new patch so that fields can now be passed a safe parameter so as not to escape the label if set to True.
For instance:
name = forms.CharField(label='<span class="foo">Name</span>', safe=True)
comment:6 by , 17 years ago
I don't like the new patch at all.
Like I said earlier, all we need is the conditional_escape
bit. Then in your code you'd just do:
name = forms.CharField(label=mark_safe('<span class="foo">Name</span>'))
by , 17 years ago
Attachment: | bug-6283.patch added |
---|
comment:7 by , 17 years ago
Cc: | added |
---|
While I personally don't agree at all with the method for which this is marked safe (adding an interface to the framework instead of pulling in part of the framework to work with code seems messy to me), all I really care about is getting a fix into Django, instead of trying to get it fixed. Obviously, having markup in there is not ideal, but it's still a bug regardless.
However, I've fixed the patch to require mark_safe() in the label
comment:8 by , 17 years ago
Triage Stage: | Accepted → Design decision needed |
---|
comment:9 by , 17 years ago
Keywords: | easy-pickings added |
---|---|
Patch needs improvement: | unset |
Triage Stage: | Design decision needed → Accepted |
We decided to push it back to design decision after a chat on irc - but I didn't realise during the discussion that it already escaped it (the design decision was whether it should be escaped in the first place).
Latest patch is now good, but could still do with some tests.
comment:11 by , 14 years ago
Easy pickings: | set |
---|
comment:12 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:13 by , 14 years ago
Sorry, I resolved this ticket as anonymous without a comment - I'm a noob :)
The changes from this patch are already in the trunk, and tests can be found in forms.py (tests_escaping() method).
Patch to fix issue 6283