HTML escaping of help_text in Django 4.0

188 views
Skip to first unread message

Matt Westcott

unread,
Jan 6, 2022, 7:17:32 PM1/6/22
to Django developers (Contributions to Django itself)
Hi,
I've noticed that Django 4.0 now applies HTML escaping to help_text in autogenerated forms, as a side-effect of switching to template-based rendering (https://github.com/django/django/commit/456466d932830b096d39806e291fe23ec5ed38d5, https://code.djangoproject.com/ticket/31026) - given a form definition

    class MyForm(forms.Form):
        name = forms.CharField(help_text="some <em>lovely</em> HTML")

rendering onto a template with {{ form.as_p }} results in the <em> tag being escaped, which wasn't the case in earlier versions. While to my eyes this is a positive change (it's now consistent with virtually every other case where a plain Python string is passed to HTML output, and if you do want to preserve HTML markup then wrapping it in mark_safe works as expected), it strikes me as the sort of breaking change you wouldn't have made lightly. It's not highlighted in the 4.0 release notes, and the documentation for help_text still states that it isn't escaped:


The old behaviour was decreed by the core team a long time back (https://code.djangoproject.com/ticket/6041#comment:6), and I can't find any indication of that decision being reversed. Was this change intentional?

Cheers,
- Matt

Mariusz Felisiak

unread,
Jan 7, 2022, 2:16:01 AM1/7/22
to Django developers (Contributions to Django itself)
Thanks for the report! This is a regression that should be fixed. I create a ticket based on your report.

Best,
Mariusz
Reply all
Reply to author
Forward
0 new messages