[Django] #21962: Add a flag to ErrorDict.as_json() to escape html
Django
------------------------------------------------+------------------------
Reporter: timo | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: master
Severity: Release blocker | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
from Marc Tamlyn:
Some use cases for `ErrorDict.as_json()` are:
* AJAX requests to a form view where the client interprets the response
and puts errors into the page (so HTML escaping would be useful)
* Building an API which handles JSON. In this case HTML escaping is plain
wrong.
In the first case, it is trivial using jQuery to ensure the text is
escaped - simply use `$(el).text(errorText)` rather than `.html()` and
jQuery will escape the HTML for you. We should document that the
`as_json()` method does not not escape the result and can even reference
the relevant jQuery method as an example for how to do this client-side.
from Shai Berger:
We should also probably add a flag for HTML escaping -- it is useful for a
very common use-case of the method, and we shouldn't assume jQuery or any
client-side library. While this is less than totally clean (and that, in
itself, is reason enough not to escape HTML by default), practicality
beats purity -- and adding such a flag will result in more secure Django-
based sites.
--
Ticket URL: <https://code.djangoproject.com/ticket/21962>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: timo | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by vedran):
Hi, submitted a pull request that adds the flag:
https://github.com/django/django/pull/2320
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:1>
Django
Reporter: timo | Owner: vedran
Type: Cleanup/optimization | Status: assigned
Component: Forms | Version: master
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vedran):
* status: new => assigned
* owner: nobody => vedran
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:2>
Django
Reporter: timo | Owner: vedran
Type: Cleanup/optimization | Status: assigned
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vedran):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:3>
Django
Reporter: timo | Owner: vedran
Component: Forms | Version: master
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"c23b3717be71e4b2e5a32f156ef0a7b4703d012d"]:
{{{
#!CommitTicketReference repository=""
revision="c23b3717be71e4b2e5a32f156ef0a7b4703d012d"
Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21962#comment:4>