#3510: Validation errors should be escaped for html
---------------------------------+------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: adrian
Status: new | Component: django.newforms
Version: SVN | Keywords: form validation escape
Stage: Unreviewed | Has_patch: 1
---------------------------------+------------------------------------------
I think validation error messages should be escaped when the form outputs
html.
For example, in a custom clean method you might raise a ValidationError
which includes the value the user input:
{{{
#!python
def clean_username(self):
raise ValidationError(u"Sorry, username '%s' is not allowed" %
self.clean_data['username'])
}}}
Whatever the user enters would currently be output unescaped in the
validation error message. You could argue the input values should be
escaped when building the custom ValidationError, but I think it's just a
string at that point and escaping should be done when the html is
generated - in this case in Form._html_output.
Patch is attached, though I'm not sure if I did the right thing with
ErrorList - I'm new to Python.
--
Ticket URL: <http://code.djangoproject.com/ticket/3510>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
