#34595: format_html() should explicitely mention format_string is not escaped
and
that result is safe
--------------------------------------+------------------------------------
Reporter: Natalia Bidart | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Template system | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
--------------------------------------+------------------------------------
Description changed by Natalia Bidart:
Old description:
> The docs for `format_html` mention that `args` and `kwargs` are escaped
> but it does not say anything about `format_string` (which is, in fact,
> not escaped). Readers could benefit from this clarification to avoid
> putting unsafe content in `format_string`.
New description:
The docs for `format_html` mention that `args` and `kwargs` are escaped
but it does not say anything about `format_string` (which is, in fact, not
escaped). Readers could benefit from this clarification to avoid putting
unsafe content in `format_string`.
Similarly, the docs could be extended to explicitly mention that the
result is marked as safe. Mariusz suggested this text (thanks!):
{{{
The output has :func:`~django.utils.safestring.mark_safe` applied.
}}}
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34595#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/010701884f7dc7ed-c086b94e-32bb-40c5-90fc-76adff1d061d-000000%40eu-central-1.amazonses.com.
