Media should render as safe strings
Reported by: |
Daniel Pope <dan@…> |
Owned by: |
Eric Holscher |
Component:
|
Forms
|
Version:
|
dev
|
Severity:
|
|
Keywords:
|
|
Cc:
|
|
Triage Stage:
|
Accepted
|
Has patch:
|
yes
|
Needs documentation:
|
no
|
Needs tests:
|
no
|
Patch needs improvement:
|
no
|
Easy pickings:
|
no
|
UI/UX:
|
no
|
All of the render_*
methods of django.forms.widgets.Media
return unicode strings containing HTML markup.
As these are intended for use in templates, they should return SafeString
s. By the same token, the paths that are substituted should be escaped using conditional_escape
to ensure the generated HTML is valid, even if paths contain characters such as '&'.
Simple patch