flatattr() doesn't check if a string is marked as "safe"

[Martin Geber]

In file ​http://code.djangoproject.com/browser/django/trunk/django/newforms/util.py in line 13:

It might be better to use conditional_escape instead of escape (​http://code.djangoproject.com/browser/django/trunk/django/utils/html.py line 30, and 35)

I'm not able to set the attribute onchange in a form widget with JavaScript.

e.g.::

    if 1 == '1' {return false;}

becomes::

    if 1 == '1' {return false;}

This is kind of annoying.

Hope my explanation is understandable... :)

Cheers,
Martin

[guettli]

Yes, your explanation is understandable.

from django import newforms as forms
class MyForm(forms.Form):
 query=forms.CharField(widget=forms.TextInput(attrs={'onchange': '''alert('abc')'''}))

html result

<input onchange="alert(&#39;abc&#39;)"

As far as I know this is correct. It worked in IE6.0 and Firefox.

Please provide more information and reopen it, if you still think this is a bug in django.

[ubernostrum]

(and you can place strings with HTML meaning, such as JS, here, you just have to use mark_safe() to do so)

[antisvin]

Original author didn't reopen the ticket, but I'll have to do it as I've just got bitten by this.

Note that what ubernostrum suggested doesn't work because flatatt function makes a call to escape instead of conditional_escape - it's the point of this ticket to make it possible to turn off autoescaping for attrs. I'm not aware of any reason for current behaviour, so likely it's accidental.

I'm also attaching an obvious patch just in case.

[guettli]

I think this patch can be committed to SVN.

[russellm]

guettli - thanks for the enthusiasm, but this patch is missing one essential thing - a regression test case. regressiontests/forms already contains some flatatt tests; they need to be expanded.

[versae]

Patch file and regression test.

[msaelices]

I mark this ticket as duplicated of #8566. The changeset [8601] is similar to this ticket patch.