From c23b3717be71e4b2e5a32f156ef0a7b4703d012d Mon Sep 17 00:00:00 2001 From: vvojvoda Date: Tue, 18 Feb 2014 20:00:09 +0100 Subject: Fixed #21962 -- Added escape_html flag to ErrorDict.as_json() --- docs/ref/forms/api.txt | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'docs/ref/forms') diff --git a/docs/ref/forms/api.txt b/docs/ref/forms/api.txt index 5a9f6a1cdc..33fcf85511 100644 --- a/docs/ref/forms/api.txt +++ b/docs/ref/forms/api.txt @@ -142,7 +142,7 @@ and methods with an ``as_`` prefix could render them, but it had to be done the other way around in order not to break code that expects rendered error messages in ``Form.errors``. -.. method:: Form.errors.as_json() +.. method:: Form.errors.as_json(escape_html=False) .. versionadded:: 1.7 @@ -152,6 +152,17 @@ Returns the errors serialized as JSON. {"sender": [{"message": "Enter a valid email address.", "code": "invalid"}], "subject": [{"message": "This field is required.", "code": "required"}]} +By default, ``as_json()`` does not escape its output. If you are using it for +something like AJAX requests to a form view where the client interprets the +response and inserts errors into the page, you'll want to be sure to escape the +results on the client-side to avoid the possibility of a cross-site scripting +attack. It's trivial to do so using a JavaScript library like jQuery - simply +use ``$(el).text(errorText)`` rather than ``.html()``. + +If for some reason you don't want to use client-side escaping, you can also +set ``escape_html=True`` and error messages will be escaped so you can use them +directly in HTML. + .. method:: Form.add_error(field, error) .. versionadded:: 1.7 -- cgit v1.3