Escape help text in form builder forms by default

This can be disabled with the setting WAGTAILFORMS_HELP_TEXT_ALLOW_HTML Conflicts: docs/advanced_topics/settings.rst wagtail/contrib/forms/forms.py
wagtail · Jul 20, 2020 · 0b80aee · 0b80aee
1 parent 8939583
commit 0b80aee
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 2 deletions.
diff --git a/docs/advanced_topics/settings.rst b/docs/advanced_topics/settings.rst
@@ -660,6 +660,18 @@ Customise the behaviour of rich text fields. By default, ``RichTextField`` and `
 
  * ``OPTIONS``: Configuration options to pass to the widget. Recognised options are widget-specific, but both ``DraftailRichTextArea`` and ``HalloRichTextArea`` accept a ``features`` list indicating the active rich text features (see :ref:`rich_text_features`).
 
+Form builder
+============
+
+.. versionadded:: 2.7.5/2.9.3
+
+    The ``WAGTAILFORMS_HELP_TEXT_ALLOW_HTML`` option was added.
+
+.. code-block:: python
+
+    WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True
+
+When true, HTML tags in form field help text will be rendered unescaped (default: False).
 
 
 URL Patterns

diff --git a/wagtail/contrib/forms/forms.py b/wagtail/contrib/forms/forms.py
@@ -1,6 +1,8 @@
 from collections import OrderedDict
 
 import django.forms
+from django.conf import settings
+from django.utils.html import conditional_escape
 from django.utils.translation import ugettext_lazy as _
 
 from wagtail.admin.forms import WagtailAdminPageForm
@@ -113,7 +115,10 @@ def formfields(self):
     def get_field_options(self, field):
         options = {}
         options['label'] = field.label
-        options['help_text'] = field.help_text
+        if getattr(settings, 'WAGTAILFORMS_HELP_TEXT_ALLOW_HTML', False):
+            options['help_text'] = field.help_text
+        else:
+            options['help_text'] = conditional_escape(field.help_text)
         options['required'] = field.required
         options['initial'] = field.default_value
         return options

diff --git a/wagtail/contrib/forms/tests/test_models.py b/wagtail/contrib/forms/tests/test_models.py
@@ -2,7 +2,7 @@
 import json
 
 from django.core import mail
-from django.test import TestCase
+from django.test import TestCase, override_settings
 
 from wagtail.contrib.forms.models import FormSubmission
 from wagtail.contrib.forms.tests.utils import (
@@ -27,9 +27,18 @@ def test_get_form(self):
         self.assertTemplateUsed(response, 'tests/form_page.html')
         self.assertTemplateNotUsed(response, 'tests/form_page_landing.html')
 
+        # HTML in help text should be escaped
+        self.assertContains(response, "&lt;em&gt;please&lt;/em&gt; be polite")
+
         # check that variables defined in get_context are passed through to the template (#1429)
         self.assertContains(response, "<p>hello world</p>")
 
+    @override_settings(WAGTAILFORMS_HELP_TEXT_ALLOW_HTML=True)
+    def test_get_form_without_help_text_escaping(self):
+        response = self.client.get('/contact-us/')
+        # HTML in help text should not be escaped
+        self.assertContains(response, "<em>please</em> be polite")
+
     def test_post_invalid_form(self):
         response = self.client.post('/contact-us/', {
             'your-email': 'bob',

diff --git a/wagtail/contrib/forms/tests/utils.py b/wagtail/contrib/forms/tests/utils.py
@@ -28,6 +28,7 @@ def make_form_page(**kwargs):
         label="Your message",
         field_type='multiline',
         required=True,
+        help_text="<em>please</em> be polite"
     )
     FormField.objects.create(
         page=form_page,