Code

Opened 6 years ago

Closed 6 years ago

Last modified 3 years ago

#8041 closed (fixed)

Media should render as safe strings

Reported by: Daniel Pope <dan@…> Owned by: ericholscher
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

All of the render_* methods of django.forms.widgets.Media return unicode strings containing HTML markup.

As these are intended for use in templates, they should return SafeStrings. By the same token, the paths that are substituted should be escaped using conditional_escape to ensure the generated HTML is valid, even if paths contain characters such as '&'.

Attachments (1)

media-safestrings.diff (4.9 KB) - added by ericholscher 6 years ago.
Simple patch

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by ericholscher

Simple patch

comment:1 Changed 6 years ago by ericholscher

  • Component changed from Uncategorized to django.newforms
  • Has patch set
  • milestone set to 1.0
  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to ericholscher
  • Patch needs improvement unset
  • Status changed from new to assigned

Sorry about the silly whitespace stuff in the patch. This is a simple change, and all of the tests are passing on trunk.

comment:2 Changed 6 years ago by ericholscher

  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 6 years ago by russellm

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [8285]) Fixed #8041 -- Modified media rendering to return safe strings. Thanks to Daniel Pope <dan@…> for the report.

comment:4 Changed 3 years ago by jacob

  • milestone 1.0 deleted

Milestone 1.0 deleted

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.