Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Label text isn't HTML-escaped #315

Closed
craigholm opened this issue Dec 22, 2016 · 7 comments
Closed

Label text isn't HTML-escaped #315

craigholm opened this issue Dec 22, 2016 · 7 comments
Milestone

Comments

@craigholm
Copy link

craigholm commented Dec 22, 2016

When a label is rendered, the contents of the label element aren't escaped either with __str__ or __html__.

>>> from wtforms import IntegerField, Form
>>> class MyForm(Form):
	foo = IntegerField('Number (must be < 10):', default=0)

	
>>> form = MyForm()
>>> for field in form: print(field.label)

<label for="foo">Number (must be < 10):</label>
>>> for field in form: print(field.label.__html__())

<label for="foo">Number (must be < 10):</label>
@andreagrandi
Copy link

andreagrandi commented Oct 19, 2017

Snyk vulnerability scanner reports WTForms 2.1 as vulnerable https://snyk.io/vuln/SNYK-PYTHON-WTFORMS-40581

Would it be possible to acknowledge this issue in some way? I know 3.0 is in development but even for this reason it would be nice to know if the new version will be affected as well.

Thank you so much, cheers

@davidism
Copy link
Member

davidism commented Jun 5, 2018

There should be very few circumstances where it makes sense to put untrusted input into a label, that's just not what labels are for. Reporting this as an XSS is misleading.

@rfkortekaas
Copy link

rfkortekaas commented May 28, 2020

I'm facing an issue due to the change of this. I try to use HTML special chars in the field label:

Actual Behavior

>>> import wtforms
>>> class F(wtforms.Form):
...     foo = wtforms.IntegerField('&epsilon;')
>>> f = F()
>>> for field in f: print(field.label)

<label for="foo">&amp;epsilon;</label>

Expected Behavior

>>> import wtforms
>>> class F(wtforms.Form):
...     foo = wtforms.IntegerField('&epsilon;')
>>> f = F()
>>> for field in f: print(field.label)

<label for="foo">&epsilon;</label>

Environment

  • Python version: 3.7.4
  • wtforms version: 2.3.1

Furthermore I really don't understand why this is a possible source for XSS as there is no user-input affecting the field label. E.g. the source of the label originates from the developer and when he has bad intentions you cannot prevent it like this. Except when you let the user have some control over the forms, but in my opinion this should be solved on another level.

@eliteuser26
Copy link

eliteuser26 commented Jun 1, 2020

Similar to the previous comment, in version 2.2.1 I was able to use html code in the label text. However in version 2.3.1 it doesn't work anymore. How can I break a text over 2 lines if it is being parsed before rendering. It is for the developer to decide if he should use html code or not. Is there any other option that is not documented in WTForms that would do the same thing.

@rfkortekaas
Copy link

rfkortekaas commented Jun 5, 2020

I found a solution for this. Maybe it's useful to add it to the documentation.

For escaping WTForms uses escape from MarkupSafe. You can pass an Markup object to the escape function to be able to format HTML.

>>> import wtforms
>>> from markupsafe import Markup
>>> class F(wtforms.Form):
...     foo = wtforms.IntegerField(Markup('&epsilon;'))
>>> f = F()
>>> for field in f: print(field.label)

<label for="foo">&epsilon;</label>

@eliteuser26
Copy link

eliteuser26 commented Jun 5, 2020

magical added a commit to veekun/spline-pokedex that referenced this issue Jun 27, 2020
WTForms 2.3 started escaping label text with markupsafe[1].
We have several cases where we actually do want the label to contain
html (to show icons). In most cases we were already passing an object
with an __html__ method so nothing needs to be changed. The only
exception is the list of regional pokedexes on the pokemon search page.

[1]: wtforms/wtforms#315

Updates #130
@sovankiry
Copy link

sovankiry commented Aug 11, 2020

I found a solution for this. Maybe it's useful to add it to the documentation.

For escaping WTForms uses escape from MarkupSafe. You can pass an Markup object to the escape function to be able to format HTML.

>>> import wtforms
>>> from markupsafe import Markup
>>> class F(wtforms.Form):
...     foo = wtforms.IntegerField(Markup('&epsilon;'))
>>> f = F()
>>> for field in f: print(field.label)

<label for="foo">&epsilon;</label>

@rfkortekaas Thank you so much for your solution and it is working for me. I've problems when upgrade WTForm to version 2.3.x from my old version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

6 participants