-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape dictionary curly bracket before renderingin HTML #42
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is the "best" solution to the issue - I'm concerned that it seems like we're double-interpreting a variable value somewhere in here, and this is maybe only a bandaid over a more fundamental design issue. Might be worth looking at how render_diff
is wrapping this text into format_html()
and see if that needs to be revisited somehow instead.
The
From docs, |
Any concern/idea about bandit issue with cross-site scripting? |
Could certainly try a test or two with objects in the diff whose string representation is HTML or JS? |
In 6e3c3c0 I replaced all the f-strings with input data by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a unit test case or two get added for render_diff
? Otherwise looks good to me!
Addresses issue #41