[Django] #21962: Add a flag to ErrorDict.as_json() to escape html

4 views
Skip to first unread message

Django

unread,
Feb 6, 2014, 4:13:50 AM2/6/14
to django-...@googlegroups.com
#21962: Add a flag to ErrorDict.as_json() to escape html
------------------------------------------------+------------------------
Reporter: timo | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: master
Severity: Release blocker | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
from Marc Tamlyn:

Some use cases for `ErrorDict.as_json()` are:

* AJAX requests to a form view where the client interprets the response
and puts errors into the page (so HTML escaping would be useful)
* Building an API which handles JSON. In this case HTML escaping is plain
wrong.

In the first case, it is trivial using jQuery to ensure the text is
escaped - simply use `$(el).text(errorText)` rather than `.html()` and
jQuery will escape the HTML for you. We should document that the
`as_json()` method does not not escape the result and can even reference
the relevant jQuery method as an example for how to do this client-side.

from Shai Berger:

We should also probably add a flag for HTML escaping -- it is useful for a
very common use-case of the method, and we shouldn't assume jQuery or any
client-side library. While this is less than totally clean (and that, in
itself, is reason enough not to escape HTML by default), practicality
beats purity -- and adding such a flag will result in more secure Django-
based sites.

--
Ticket URL: <https://code.djangoproject.com/ticket/21962>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Feb 18, 2014, 2:12:14 PM2/18/14
to django-...@googlegroups.com
#21962: Add a flag to ErrorDict.as_json() to escape html
--------------------------------------+------------------------------------

Reporter: timo | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: master
Severity: Release blocker | Resolution:

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------

Comment (by vedran):

Hi, submitted a pull request that adds the flag:
https://github.com/django/django/pull/2320

--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:1>

Django

unread,
Feb 18, 2014, 2:12:25 PM2/18/14
to django-...@googlegroups.com
#21962: Add a flag to ErrorDict.as_json() to escape html
--------------------------------------+------------------------------------
Reporter: timo | Owner: vedran
Type: Cleanup/optimization | Status: assigned
Component: Forms | Version: master
Severity: Release blocker | Resolution:

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by vedran):

* status: new => assigned
* owner: nobody => vedran


--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:2>

Django

unread,
Feb 18, 2014, 2:12:39 PM2/18/14
to django-...@googlegroups.com
#21962: Add a flag to ErrorDict.as_json() to escape html
--------------------------------------+------------------------------------
Reporter: timo | Owner: vedran
Type: Cleanup/optimization | Status: assigned
Component: Forms | Version: master
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by vedran):

* has_patch: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:3>

Django

unread,
Feb 28, 2014, 7:15:51 AM2/28/14
to django-...@googlegroups.com
#21962: Add a flag to ErrorDict.as_json() to escape html
--------------------------------------+------------------------------------
Reporter: timo | Owner: vedran
Type: Cleanup/optimization | Status: closed
Component: Forms | Version: master
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"c23b3717be71e4b2e5a32f156ef0a7b4703d012d"]:
{{{
#!CommitTicketReference repository=""
revision="c23b3717be71e4b2e5a32f156ef0a7b4703d012d"
Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:4>

Reply all
Reply to author
Forward
0 new messages