Label text isn't HTML-escaped #315
Comments
|
Snyk vulnerability scanner reports WTForms 2.1 as vulnerable https://snyk.io/vuln/SNYK-PYTHON-WTFORMS-40581 Would it be possible to acknowledge this issue in some way? I know 3.0 is in development but even for this reason it would be nice to know if the new version will be affected as well. Thank you so much, cheers |
|
There should be very few circumstances where it makes sense to put untrusted input into a label, that's just not what labels are for. Reporting this as an XSS is misleading. |
|
I'm facing an issue due to the change of this. I try to use HTML special chars in the field label: Actual Behavior>>> import wtforms
>>> class F(wtforms.Form):
... foo = wtforms.IntegerField('ε')
>>> f = F()
>>> for field in f: print(field.label)
<label for="foo">&epsilon;</label>Expected Behavior>>> import wtforms
>>> class F(wtforms.Form):
... foo = wtforms.IntegerField('ε')
>>> f = F()
>>> for field in f: print(field.label)
<label for="foo">ε</label>Environment
Furthermore I really don't understand why this is a possible source for XSS as there is no user-input affecting the field label. E.g. the source of the label originates from the developer and when he has bad intentions you cannot prevent it like this. Except when you let the user have some control over the forms, but in my opinion this should be solved on another level. |
|
Similar to the previous comment, in version 2.2.1 I was able to use html code in the label text. However in version 2.3.1 it doesn't work anymore. How can I break a text over 2 lines if it is being parsed before rendering. It is for the developer to decide if he should use html code or not. Is there any other option that is not documented in WTForms that would do the same thing. |
|
I found a solution for this. Maybe it's useful to add it to the documentation. For escaping WTForms uses >>> import wtforms
>>> from markupsafe import Markup
>>> class F(wtforms.Form):
... foo = wtforms.IntegerField(Markup('ε'))
>>> f = F()
>>> for field in f: print(field.label)
<label for="foo">ε</label> |
|
Thanks for this solution. I will test it to see if it works in my case. I
couldn't understand the examples for Markup at first. It does make things
more complicated. I was able to use the label directly into the HTML code
directly and it worked fine without escaping. So I don't see why this is a
problem.
Regards,
Claude.
…On Fri, Jun 5, 2020, 01:56 R.F. Kortekaas ***@***.***> wrote:
I found a solution for this. Maybe it's useful to add it to the
documentation.
For escaping WTForms uses escape from MarkupSafe. You can pass an Markup
object to the escape function to be able to format HTML.
>>> import wtforms>>> from markupsafe import Markup>>> class F(wtforms.Form):
... foo = wtforms.IntegerField(Markup('ε'))>>> f = F()>>> for field in f: print(field.label)
<label for="foo">ε</label>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHUD6MMOBEL2NQYSB6ERGETRVCCIBANCNFSM4C2OL2BA>
.
|
WTForms 2.3 started escaping label text with markupsafe[1]. We have several cases where we actually do want the label to contain html (to show icons). In most cases we were already passing an object with an __html__ method so nothing needs to be changed. The only exception is the list of regional pokedexes on the pokemon search page. [1]: pallets-eco/wtforms#315 Updates #130
@rfkortekaas Thank you so much for your solution and it is working for me. I've problems when upgrade WTForm to version 2.3.x from my old version. |
WTForms 2.3 started escaping label text with markupsafe[1]. We have several cases where we actually do want the label to contain html. For this we can declare the __html__ method, which will be used by wtforms internally. [1]: pallets-eco/wtforms#315
When a label is rendered, the contents of the label element aren't escaped either with
__str__or__html__.The text was updated successfully, but these errors were encountered: