Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #3510 -- newforms validation errors are now HTML-escaped for HT…

…ML output. Thanks, scott@staplefish.com

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4544 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit b8fa80bd0020eee186e5288e3fd2552695093025 1 parent 7cb7541
Adrian Holovaty authored February 19, 2007
2  django/newforms/forms.py
@@ -113,7 +113,7 @@ def _html_output(self, normal_row, error_row, row_ender, help_text_html, errors_
113 113
         output, hidden_fields = [], []
114 114
         for name, field in self.fields.items():
115 115
             bf = BoundField(self, field, name)
116  
-            bf_errors = bf.errors # Cache in local variable.
  116
+            bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable.
117 117
             if bf.is_hidden:
118 118
                 if bf_errors:
119 119
                     top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors])
13  tests/regressiontests/forms/tests.py
@@ -2217,6 +2217,19 @@
2217 2217
 >>> f.clean_data
2218 2218
 {'composers': [u'J', u'P'], 'name': u'Yesterday'}
2219 2219
 
  2220
+Validation errors are HTML-escaped when output as HTML.
  2221
+>>> class EscapingForm(Form):
  2222
+...     special_name = CharField()
  2223
+...     def clean_special_name(self):
  2224
+...         raise ValidationError("Something's wrong with '%s'" % self.clean_data['special_name'])
  2225
+ 
  2226
+>>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False)
  2227
+>>> print f
  2228
+<tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr>
  2229
+>>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False)
  2230
+>>> print f
  2231
+<tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" /></td></tr>
  2232
+
2220 2233
 # Validating multiple fields in relation to another ###########################
2221 2234
 
2222 2235
 There are a couple of ways to do multiple-field validation. If you want the

0 notes on commit b8fa80b

Please sign in to comment.
Something went wrong with that request. Please try again.