Author: adrian
Date: 2007-02-19 17:54:55 -0600 (Mon, 19 Feb 2007)
New Revision: 4544
Modified:
django/trunk/django/newforms/forms.py
django/trunk/tests/regressiontests/forms/tests.py
Log:
Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output.
Thanks, [EMAIL PROTECTED]
Modified: django/trunk/django/newforms/forms.py
===================================================================
--- django/trunk/django/newforms/forms.py 2007-02-19 23:43:14 UTC (rev
4543)
+++ django/trunk/django/newforms/forms.py 2007-02-19 23:54:55 UTC (rev
4544)
@@ -113,7 +113,7 @@
output, hidden_fields = [], []
for name, field in self.fields.items():
bf = BoundField(self, field, name)
- bf_errors = bf.errors # Cache in local variable.
+ bf_errors = ErrorList([escape(error) for error in bf.errors]) #
Escape and cache in local variable.
if bf.is_hidden:
if bf_errors:
top_errors.extend(['(Hidden field %s) %s' % (name, e) for
e in bf_errors])
Modified: django/trunk/tests/regressiontests/forms/tests.py
===================================================================
--- django/trunk/tests/regressiontests/forms/tests.py 2007-02-19 23:43:14 UTC
(rev 4543)
+++ django/trunk/tests/regressiontests/forms/tests.py 2007-02-19 23:54:55 UTC
(rev 4544)
@@ -2217,6 +2217,19 @@
>>> f.clean_data
{'composers': [u'J', u'P'], 'name': u'Yesterday'}
+Validation errors are HTML-escaped when output as HTML.
+>>> class EscapingForm(Form):
+... special_name = CharField()
+... def clean_special_name(self):
+... raise ValidationError("Something's wrong with '%s'" %
self.clean_data['special_name'])
+
+>>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False)
+>>> print f
+<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong
with 'Nothing to escape'</li></ul><input type="text"
name="special_name" value="Nothing to escape" /></td></tr>
+>>> f = EscapingForm({'special_name': "Should escape < & > and
<script>alert('xss')</script>"}, auto_id=False)
+>>> print f
+<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong
with 'Should escape < & > and
<script>alert('xss')</script>'</li></ul><input
type="text" name="special_name" value="Should escape < & > and
<script>alert('xss')</script>" /></td></tr>
+
# Validating multiple fields in relation to another ###########################
There are a couple of ways to do multiple-field validation. If you want the
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
