Opened 16 years ago

Closed 16 years ago

#6529 closed (duplicate)

flatattr() doesn't check if a string is marked as "safe"

Reported by: Martin Geber Owned by: nobody
Component: Forms Version: dev
Severity: Keywords:
Cc: martin@…, antisvin@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In file http://code.djangoproject.com/browser/django/trunk/django/newforms/util.py in line 13:

It might be better to use conditional_escape instead of escape (http://code.djangoproject.com/browser/django/trunk/django/utils/html.py line 30, and 35)

I'm not able to set the attribute onchange in a form widget with JavaScript.

e.g.::

    if 1 == '1' {return false;}

becomes::

    if 1 == '1' {return false;}

This is kind of annoying.

Hope my explanation is understandable... :)

Cheers,
Martin

Attachments (2)

escape_conditional_for_attrs.patch (859 bytes ) - added by antisvin 16 years ago.
flatatt_with_conditional_escape.diff (1.5 KB ) - added by Javier de la Rosa 16 years ago.
Patch file and regression test.

Download all attachments as: .zip

Change History (9)

comment:1 by Thomas Güttler, 16 years ago

Resolution: worksforme
Status: newclosed

Yes, your explanation is understandable.

from django import newforms as forms
class MyForm(forms.Form):
 query=forms.CharField(widget=forms.TextInput(attrs={'onchange': '''alert('abc')'''}))

html result

<input onchange="alert(&#39;abc&#39;)"

As far as I know this is correct. It worked in IE6.0 and Firefox.

Please provide more information and reopen it, if you still think this is a bug in django.

comment:2 by James Bennett, 16 years ago

(and you can place strings with HTML meaning, such as JS, here, you just have to use mark_safe() to do so)

comment:3 by antisvin, 16 years ago

Cc: antisvin@… added
Has patch: set
Resolution: worksforme
Status: closedreopened

Original author didn't reopen the ticket, but I'll have to do it as I've just got bitten by this.

Note that what ubernostrum suggested doesn't work because flatatt function makes a call to escape instead of conditional_escape - it's the point of this ticket to make it possible to turn off autoescaping for attrs. I'm not aware of any reason for current behaviour, so likely it's accidental.

I'm also attaching an obvious patch just in case.

by antisvin, 16 years ago

comment:4 by Thomas Güttler, 16 years ago

Triage Stage: UnreviewedReady for checkin

I think this patch can be committed to SVN.

comment:5 by Russell Keith-Magee, 16 years ago

Needs tests: set
Triage Stage: Ready for checkinAccepted

guettli - thanks for the enthusiasm, but this patch is missing one essential thing - a regression test case. regressiontests/forms already contains some flatatt tests; they need to be expanded.

by Javier de la Rosa, 16 years ago

Patch file and regression test.

comment:6 by Javier de la Rosa, 16 years ago

Needs tests: unset

comment:7 by Manuel Saelices, 16 years ago

Resolution: duplicate
Status: reopenedclosed

I mark this ticket as duplicated of #8566. The changeset [8601] is similar to this ticket patch.

Note: See TracTickets for help on using tickets.
Back to Top