diff options
| author | Adrian Holovaty <adrian@holovaty.com> | 2007-02-19 23:54:55 +0000 |
|---|---|---|
| committer | Adrian Holovaty <adrian@holovaty.com> | 2007-02-19 23:54:55 +0000 |
| commit | b8fa80bd0020eee186e5288e3fd2552695093025 (patch) | |
| tree | a88853f0029849db1655bd4c1b28928db88bb588 | |
| parent | 7cb7541971b2e080d1288e24e5705d296b11a021 (diff) | |
Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@staplefish.com
git-svn-id: http://code.djangoproject.com/svn/django/trunk@4544 bcc190cf-cafb-0310-a4f2-bffc1f526a37
| -rw-r--r-- | django/newforms/forms.py | 2 | ||||
| -rw-r--r-- | tests/regressiontests/forms/tests.py | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/django/newforms/forms.py b/django/newforms/forms.py index e9cf4ca11c..2b3aa97428 100644 --- a/django/newforms/forms.py +++ b/django/newforms/forms.py @@ -113,7 +113,7 @@ class BaseForm(StrAndUnicode): output, hidden_fields = [], [] for name, field in self.fields.items(): bf = BoundField(self, field, name) - bf_errors = bf.errors # Cache in local variable. + bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable. if bf.is_hidden: if bf_errors: top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors]) diff --git a/tests/regressiontests/forms/tests.py b/tests/regressiontests/forms/tests.py index 2e34111b3e..34f1907c5e 100644 --- a/tests/regressiontests/forms/tests.py +++ b/tests/regressiontests/forms/tests.py @@ -2217,6 +2217,19 @@ returns a list of input. >>> f.clean_data {'composers': [u'J', u'P'], 'name': u'Yesterday'} +Validation errors are HTML-escaped when output as HTML. +>>> class EscapingForm(Form): +... special_name = CharField() +... def clean_special_name(self): +... raise ValidationError("Something's wrong with '%s'" % self.clean_data['special_name']) + +>>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False) +>>> print f +<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Nothing to escape'</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr> +>>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False) +>>> print f +<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Should escape < & > and <script>alert('xss')</script>'</li></ul><input type="text" name="special_name" value="Should escape < & > and <script>alert('xss')</script>" /></td></tr> + # Validating multiple fields in relation to another ########################### There are a couple of ways to do multiple-field validation. If you want the |
