diff options
| author | vvojvoda <vedran.vojvoda@gmail.com> | 2014-02-18 20:00:09 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-02-28 07:05:55 -0500 |
| commit | c23b3717be71e4b2e5a32f156ef0a7b4703d012d (patch) | |
| tree | 40eeb5ea2ecc2cb1132ecbff32a17c036d09a353 /docs/ref | |
| parent | 7b4743580a2ac8e0194fb3781732cfb0bf96c3b7 (diff) | |
Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/forms/api.txt | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/ref/forms/api.txt b/docs/ref/forms/api.txt index 5a9f6a1cdc..33fcf85511 100644 --- a/docs/ref/forms/api.txt +++ b/docs/ref/forms/api.txt @@ -142,7 +142,7 @@ and methods with an ``as_`` prefix could render them, but it had to be done the other way around in order not to break code that expects rendered error messages in ``Form.errors``. -.. method:: Form.errors.as_json() +.. method:: Form.errors.as_json(escape_html=False) .. versionadded:: 1.7 @@ -152,6 +152,17 @@ Returns the errors serialized as JSON. {"sender": [{"message": "Enter a valid email address.", "code": "invalid"}], "subject": [{"message": "This field is required.", "code": "required"}]} +By default, ``as_json()`` does not escape its output. If you are using it for +something like AJAX requests to a form view where the client interprets the +response and inserts errors into the page, you'll want to be sure to escape the +results on the client-side to avoid the possibility of a cross-site scripting +attack. It's trivial to do so using a JavaScript library like jQuery - simply +use ``$(el).text(errorText)`` rather than ``.html()``. + +If for some reason you don't want to use client-side escaping, you can also +set ``escape_html=True`` and error messages will be escaped so you can use them +directly in HTML. + .. method:: Form.add_error(field, error) .. versionadded:: 1.7 |
