Opened 16 years ago

Closed 16 years ago

Last modified 13 years ago

#8041 closed (fixed)

Media should render as safe strings

Reported by: Daniel Pope <dan@…> Owned by: Eric Holscher
Component: Forms Version: dev
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

All of the render_* methods of django.forms.widgets.Media return unicode strings containing HTML markup.

As these are intended for use in templates, they should return SafeStrings. By the same token, the paths that are substituted should be escaped using conditional_escape to ensure the generated HTML is valid, even if paths contain characters such as '&'.

Attachments (1)

media-safestrings.diff (4.9 KB ) - added by Eric Holscher 16 years ago.
Simple patch

Download all attachments as: .zip

Change History (5)

by Eric Holscher, 16 years ago

Attachment: media-safestrings.diff added

Simple patch

comment:1 by Eric Holscher, 16 years ago

Component: Uncategorizeddjango.newforms
Has patch: set
milestone: 1.0
Owner: changed from nobody to Eric Holscher
Status: newassigned

Sorry about the silly whitespace stuff in the patch. This is a simple change, and all of the tests are passing on trunk.

comment:2 by Eric Holscher, 16 years ago

Triage Stage: UnreviewedAccepted

comment:3 by Russell Keith-Magee, 16 years ago

Resolution: fixed
Status: assignedclosed

(In [8285]) Fixed #8041 -- Modified media rendering to return safe strings. Thanks to Daniel Pope <dan@…> for the report.

comment:4 by Jacob, 13 years ago

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top