Code

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#9111 closed (fixed)

form error get escaped on _html_output even if it is a SafeString instance

Reported by: michelts Owned by: kmtracey
Component: Forms Version: 1.0
Severity: Keywords: form error escape safestring mark_safe
Cc: michelts@…, adunar Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Hi guys,

When I define a form and call it on a template like:

{{ form }}

The function as_table is called. The function calls _html_output to
render the widget, the errors and help messages. They are in django.forms.forms module.

The error is escaped with django.utils.html.escape function but I
think django.utils.html.conditional_escape should be used instead. This way,
if I pass a SafeString instance to a forms.ValidationError exception,
I can include html code on it.

This error isn't raised if I write a template like:

<div>{{ form.field.errors }}{{ form.field }}</div>

What about to change escape to conditional_escape in all the module? I can send a patch if you agree...

Best regards!

Attachments (3)

safestring-r9066.diff (1.1 KB) - added by kratorius 6 years ago.
safestring-tests-r9066.diff (2.3 KB) - added by kratorius 6 years ago.
form_escape.diff (4.8 KB) - added by adunar 6 years ago.
conditional_escape for both field labels and errors

Download all attachments as: .zip

Change History (11)

comment:1 Changed 6 years ago by michelts

  • Cc michelts@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 6 years ago by mtredinnick

  • Triage Stage changed from Unreviewed to Accepted

This looks like a good change to make. Please also remember to include a test that fails beforehand and passes after the change. Probably the best place to put the test is in regressiontests/forms/forms.py.

Changed 6 years ago by kratorius

Changed 6 years ago by kratorius

comment:3 Changed 6 years ago by kratorius

  • Has patch set

comment:4 Changed 6 years ago by kratorius

  • Owner changed from nobody to kratorius

comment:5 Changed 6 years ago by adunar

  • Cc adunar added

As I noted on http://groups.google.com/group/django-developers/browse_thread/thread/86fd952b0efc641e , mark_safe should also work on labels of form fields. I've updated the patch to also call conditional_escape on form labels, and added a regression test for that.

Changed 6 years ago by adunar

conditional_escape for both field labels and errors

comment:6 Changed 6 years ago by kmtracey

  • Owner changed from kratorius to kmtracey
  • Status changed from new to assigned

In the future please don't add additional unrelated fixes to existing tickets. This ticket was about escaping of errors, not labels -- fixing the label case should have gone into a different ticket to make things simpler when reviewing.

The errors part of this ticket overlaps a bit with #6160, which points out a different part of the code where error messages are not escaped. I'm going to deal with both together so that errors are consistently conditionally escaped.

comment:7 Changed 6 years ago by kmtracey

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9365]) Fixed #6160, #9111 -- Consistently apply conditional_escape to form errors and labels when outputing them as HTML.

comment:8 Changed 6 years ago by kmtracey

(In [9366]) [1.0.X] Fixed #6160, #9111 -- Consistently apply conditional_escape to form errors and labels when outputing them as HTML.

[9365] from trunk.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.