[Django] #28902: Formatting bug in django.contrib.auth.password_validation._password_validators_help_text_html
Django
django.contrib.auth.password_validation._password_validators_help_text_html
----------------------------------------+------------------------
Reporter: Ole Laursen | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 2.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
----------------------------------------+------------------------
Last lines say
{{{
help_items = [format_html('<li>{}</li>', help_text) for help_text in
help_texts]
return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
}}}
So in the last line it's throwing away the safe text information put in by
format_html in the previous line.
The result is that if you output the help_text of
django.contrib.auth.forms.PasswordChangeForm in a template, the HTML
bullets are escaped (user sees HTML code instead of bullets). For some
reason, I don't see this problem within the admin site, which is actually
a bit worrying.
This seems to work instead:
{{{
formatted_help_items = format_html_join("", '<li>{}</li>',
((help_text,) for help_text in help_texts))
return format_html("<ul>{}</ul>", formatted_help_items) if
formatted_help_items else ""
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28902>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
------------------------------+------------------------------------
Reporter: Ole Laursen | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 2.0
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham):
* stage: Unreviewed => Accepted
Comment:
The bug doesn't manifest itself in the admin because those help_texts are
marked as safe in the template (#25053).
--
Ticket URL: <https://code.djangoproject.com/ticket/28902#comment:1>
Django
Reporter: Ole Laursen | Owner: fireballpoint1
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by fireballpoint1):
* owner: nobody => fireballpoint1
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/28902#comment:2>
Django
------------------------------+------------------------------------------
Type: Bug | Status: assigned
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Alvin Lindstam):
* owner: Mayank Modi => Alvin Lindstam
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/9526 PR]
Hope it's OK that I reassigned it, there's not been any activity for a
month.
--
Ticket URL: <https://code.djangoproject.com/ticket/28902#comment:3>
Django
------------------------------+------------------------------------------
Reporter: Ole Laursen | Owner: Alvin Lindstam
Component: contrib.auth | Version: 2.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"2cb6b7732dc7b172797cebb1e8f19be2de89e264" 2cb6b773]:
{{{
#!CommitTicketReference repository=""
revision="2cb6b7732dc7b172797cebb1e8f19be2de89e264"
Fixed #28902 -- Fixed password_validators_help_text_html() double
escaping.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28902#comment:4>