Opened 10 years ago

Closed 10 years ago

Last modified 6 years ago

#8041 closed (fixed)

Media should render as safe strings

Reported by: Daniel Pope <dan@…> Owned by: Eric Holscher
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

All of the render_* methods of django.forms.widgets.Media return unicode strings containing HTML markup.

As these are intended for use in templates, they should return SafeStrings. By the same token, the paths that are substituted should be escaped using conditional_escape to ensure the generated HTML is valid, even if paths contain characters such as '&'.

Attachments (1)

media-safestrings.diff (4.9 KB) - added by Eric Holscher 10 years ago.
Simple patch

Download all attachments as: .zip

Change History (5)

Changed 10 years ago by Eric Holscher

Attachment: media-safestrings.diff added

Simple patch

comment:1 Changed 10 years ago by Eric Holscher

Component: Uncategorizeddjango.newforms
Has patch: set
milestone: 1.0
Owner: changed from nobody to Eric Holscher
Status: newassigned

Sorry about the silly whitespace stuff in the patch. This is a simple change, and all of the tests are passing on trunk.

comment:2 Changed 10 years ago by Eric Holscher

Triage Stage: UnreviewedAccepted

comment:3 Changed 10 years ago by Russell Keith-Magee

Resolution: fixed
Status: assignedclosed

(In [8285]) Fixed #8041 -- Modified media rendering to return safe strings. Thanks to Daniel Pope <dan@…> for the report.

comment:4 Changed 6 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top