Some use cases for `ErrorDict.as_json()` are:
* AJAX requests to a form view where the client interprets the response
and puts errors into the page (so HTML escaping would be useful)
* Building an API which handles JSON. In this case HTML escaping is plain
wrong.
In the first case, it is trivial using jQuery to ensure the text is
escaped - simply use `$(el).text(errorText)` rather than `.html()` and
jQuery will escape the HTML for you. We should document that the
`as_json()` method does not not escape the result and can even reference
the relevant jQuery method as an example for how to do this client-side.
from Shai Berger:
We should also probably add a flag for HTML escaping -- it is useful for a
very common use-case of the method, and we shouldn't assume jQuery or any
client-side library. While this is less than totally clean (and that, in
itself, is reason enough not to escape HTML by default), practicality
beats purity -- and adding such a flag will result in more secure Django-
based sites.
--
Ticket URL: <https://code.djangoproject.com/ticket/21962>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Comment (by vedran):
Hi, submitted a pull request that adds the flag:
https://github.com/django/django/pull/2320
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:1>
* status: new => assigned
* owner: nobody => vedran
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:2>
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:3>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"c23b3717be71e4b2e5a32f156ef0a7b4703d012d"]:
{{{
#!CommitTicketReference repository=""
revision="c23b3717be71e4b2e5a32f156ef0a7b4703d012d"
Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:4>