[Django] #21962: Add a flag to ErrorDict.as_json() to escape html

Thu, 06 Feb 2014 01:14:53 -0800 

#21962: Add a flag to ErrorDict.as_json() to escape html
------------------------------------------------+------------------------
               Reporter:  timo                  |          Owner:  nobody
                   Type:  Cleanup/optimization  |         Status:  new
              Component:  Forms                 |        Version:  master
               Severity:  Release blocker       |       Keywords:
           Triage Stage:  Accepted              |      Has patch:  0
    Needs documentation:  0                     |    Needs tests:  0
Patch needs improvement:  0                     |  Easy pickings:  0
                  UI/UX:  0                     |
------------------------------------------------+------------------------
 from Marc Tamlyn:

 Some use cases for `ErrorDict.as_json()` are:

 * AJAX requests to a form view where the client interprets the response
 and puts errors into the page (so HTML escaping would be useful)
 * Building an API which handles JSON. In this case HTML escaping is plain
 wrong.

 In the first case, it is trivial using jQuery to ensure the text is
 escaped - simply use `$(el).text(errorText)` rather than `.html()` and
 jQuery will escape the HTML for you. We should document that the
 `as_json()` method does not not escape the result and can even reference
 the relevant jQuery method as an example for how to do this client-side.

 from Shai Berger:

 We should also probably add a flag for HTML escaping -- it is useful for a
 very common use-case of the method, and we shouldn't assume jQuery or any
 client-side library. While this is less than totally clean (and that, in
 itself, is reason enough not to escape HTML by default), practicality
 beats purity -- and adding such a flag will result in more secure Django-
 based sites.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/21962>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/047.5db4909383e2b138c7759ba4ca7ee03a%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to