Opened 8 years ago

Closed 8 years ago

Last modified 5 years ago

#8041 closed (fixed)

Media should render as safe strings

Reported by: Daniel Pope <dan@…> Owned by: Eric Holscher
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

All of the render_* methods of django.forms.widgets.Media return unicode strings containing HTML markup.

As these are intended for use in templates, they should return SafeStrings. By the same token, the paths that are substituted should be escaped using conditional_escape to ensure the generated HTML is valid, even if paths contain characters such as '&'.

Attachments (1)

media-safestrings.diff (4.9 KB) - added by Eric Holscher 8 years ago.
Simple patch

Download all attachments as: .zip

Change History (5)

Changed 8 years ago by Eric Holscher

Attachment: media-safestrings.diff added

Simple patch

comment:1 Changed 8 years ago by Eric Holscher

Component: Uncategorizeddjango.newforms
Has patch: set
milestone: 1.0
Owner: changed from nobody to Eric Holscher
Status: newassigned

Sorry about the silly whitespace stuff in the patch. This is a simple change, and all of the tests are passing on trunk.

comment:2 Changed 8 years ago by Eric Holscher

Triage Stage: UnreviewedAccepted

comment:3 Changed 8 years ago by Russell Keith-Magee

Resolution: fixed
Status: assignedclosed

(In [8285]) Fixed #8041 -- Modified media rendering to return safe strings. Thanks to Daniel Pope <dan@…> for the report.

comment:4 Changed 5 years ago by Jacob

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top