fixes bug 889491 - Improve error messages for invalid queries #3359
Conversation
| </div> | ||
| <div class="body"> | ||
| {% if 'ul class="errorlist"' in error %} | ||
| {{ error | safe }} |
There was a problem hiding this comment.
Are you sure this is really safe? Could you add tests that verify it can't lead to an XSS attack for example?
There was a problem hiding this comment.
I couldn't think of a way to test that. So I hijacked one of the form validation functions and put in raise forms.ValidationError('<script> ...
This is what it looked like;
http://jmp.sh/CRDYEwV
|
I see you applied this new behavior to a handful of views. Is there not a way to apply to every view we have? Any 400 page should behave like that imo, and having to add another decorator to every view sounds painful. |
Yes, mayhaps if we write a middleware. If we just make sure to not meddle if the request is an AJAX one it might just work. |
|
@adngdb See the new update. I managed to do it with a piece of middleware. Now, if any view does something like... def myview(request):
if condition:
return http.HttpResponseBadRequest('Bad!')it will be rendered as the I've tested this...
|
|
This looks good, but it needs to be rebased! |
peterbe
force-pushed
the
bug-889491-improve-error-messages-for-invalid-queries
branch
from
01f3971
to
49987a2
Compare
peterbe
deleted the
bug-889491-improve-error-messages-for-invalid-queries
branch
Don't ask why I dedicated an hour of my Friday afternoon to this. The short answer was that I was just curious. I wanted to play with the
handler400but that's not at all what that's for. :)Before:
After:
