New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixes bug 889491 - Improve error messages for invalid queries #3359
fixes bug 889491 - Improve error messages for invalid queries #3359
Conversation
</div> | ||
<div class="body"> | ||
{% if 'ul class="errorlist"' in error %} | ||
{{ error | safe }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure this is really safe? Could you add tests that verify it can't lead to an XSS attack for example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't think of a way to test that. So I hijacked one of the form validation functions and put in raise forms.ValidationError('<script> ...
This is what it looked like;
http://jmp.sh/CRDYEwV
I see you applied this new behavior to a handful of views. Is there not a way to apply to every view we have? Any 400 page should behave like that imo, and having to add another decorator to every view sounds painful. |
Yes, mayhaps if we write a middleware. If we just make sure to not meddle if the request is an AJAX one it might just work. |
@adngdb See the new update. I managed to do it with a piece of middleware. Now, if any view does something like... def myview(request):
if condition:
return http.HttpResponseBadRequest('Bad!') it will be rendered as the I've tested this...
|
This looks good, but it needs to be rebased! |
01f3971
to
49987a2
Compare
Don't ask why I dedicated an hour of my Friday afternoon to this. The short answer was that I was just curious. I wanted to play with the
handler400
but that's not at all what that's for. :)Before:
After: