-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: Remove safe filters #28
Conversation
] | ||
): | ||
field.label = conditional_escape(field.label) | ||
if getattr(settings, "TBXFORMS_ALLOW_HTML_LABEL", False): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if getattr(settings, "TBXFORMS_ALLOW_HTML_LABEL", False): | |
if field.label and getattr(settings, "TBXFORMS_ALLOW_HTML_LABEL", False): |
This might be still needed here, and for the help text below.
super().__init__(*args, **kwargs) | ||
self.helper = FormHelper(self) | ||
|
||
class BaseForm(TbxFormsBaseForm, forms.Form): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change means 61 test failures that will require a lot of markup fixtures to be updated. I think that should be on another PR to keep the scope of this one manageable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, it could be done separately first. But that might mean more work if all those have to be updated again for this PR.
Last time I looked at this I gave up when realising that we weren't using TbxFormsBaseForm
in tests. That seemed like a pretty major issue.
* Update test matrix - Add Python 3.12 - Remove Django 2.2, 3.0 and 3.1 - Add Django 4.1 and 4.2 * Make tests pass * Upgrade Flake8, so that it works on Python 3.12 too * Remove `|safe` filters See #28 * Add tests for HTML escaping
Closing because all the points here have been addressed in other PRs already. |
Crispy forms has removed all uses of
|safe
recently: django-crispy-forms/django-crispy-forms#296(except for
help_text
: https://grep.app/search?q=%7Csafe&filter[repo][0]=django-crispy-forms/django-crispy-forms but we handle those differently, so we can remove|safe
from those too)This PR still needs more work but so far includes the following:
|safe
, there's still a couple left thoughBaseForm
intests/forms.py
now inherits fromTbxFormsBaseForm
(I'm not sure how the tests worked like that)form.helper = FormHelper()
removed from all tests, it should already exists if inheriting fromTbxFormsBaseForm
TBXFORMS_ALLOW_HTML_BUTTON
. See also notes in README why. Basically values for buttons can be very likely always marked as safe in python (unlike label and help text, which come from field definitions and can never contain user input). So we don't need an option for this.test_show_legend_as_heading_incorrect_escaping
to make sure we don't render html where we're not supposed to.