summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorvvojvoda <vedran.vojvoda@gmail.com>2014-02-18 20:00:09 +0100
committerTim Graham <timograham@gmail.com>2014-02-28 07:05:55 -0500
commitc23b3717be71e4b2e5a32f156ef0a7b4703d012d (patch)
tree40eeb5ea2ecc2cb1132ecbff32a17c036d09a353 /docs
parent7b4743580a2ac8e0194fb3781732cfb0bf96c3b7 (diff)
Fixed #21962 -- Added escape_html flag to ErrorDict.as_json()
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/forms/api.txt13
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/ref/forms/api.txt b/docs/ref/forms/api.txt
index 5a9f6a1cdc..33fcf85511 100644
--- a/docs/ref/forms/api.txt
+++ b/docs/ref/forms/api.txt
@@ -142,7 +142,7 @@ and methods with an ``as_`` prefix could render them, but it had to be done
the other way around in order not to break code that expects rendered error
messages in ``Form.errors``.
-.. method:: Form.errors.as_json()
+.. method:: Form.errors.as_json(escape_html=False)
.. versionadded:: 1.7
@@ -152,6 +152,17 @@ Returns the errors serialized as JSON.
{"sender": [{"message": "Enter a valid email address.", "code": "invalid"}],
"subject": [{"message": "This field is required.", "code": "required"}]}
+By default, ``as_json()`` does not escape its output. If you are using it for
+something like AJAX requests to a form view where the client interprets the
+response and inserts errors into the page, you'll want to be sure to escape the
+results on the client-side to avoid the possibility of a cross-site scripting
+attack. It's trivial to do so using a JavaScript library like jQuery - simply
+use ``$(el).text(errorText)`` rather than ``.html()``.
+
+If for some reason you don't want to use client-side escaping, you can also
+set ``escape_html=True`` and error messages will be escaped so you can use them
+directly in HTML.
+
.. method:: Form.add_error(field, error)
.. versionadded:: 1.7