test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@staplefish.com 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4544 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2007-02-19 23:54:55 +00:00
parent 7cb7541971
commit b8fa80bd00
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/newforms/forms.py
View File

@ -113,7 +113,7 @@ class BaseForm(StrAndUnicode):
output, hidden_fields = [], [] output, hidden_fields = [], []
for name, field in self.fields.items(): for name, field in self.fields.items():
bf = BoundField(self, field, name) bf = BoundField(self, field, name)
bf_errors = bf.errors # Cache in local variable. bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable.
if bf.is_hidden: if bf.is_hidden:
if bf_errors: if bf_errors:
top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors]) top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors])

13
tests/regressiontests/forms/tests.py
View File

@ -2217,6 +2217,19 @@ returns a list of input.
>>> f.clean_data >>> f.clean_data
{'composers': [u'J', u'P'], 'name': u'Yesterday'} {'composers': [u'J', u'P'], 'name': u'Yesterday'}
Validation errors are HTML-escaped when output as HTML.
>>> class EscapingForm(Form):
... special_name = CharField()
... def clean_special_name(self):
... raise ValidationError("Something's wrong with '%s'" % self.clean_data['special_name'])
>>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False)
>>> print f
<tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr>
>>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False)
>>> print f
<tr><th>Special name:</th><td><ul class="errorlist"><li>Something&#39;s wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" /></td></tr>
# Validating multiple fields in relation to another ########################### # Validating multiple fields in relation to another ###########################
There are a couple of ways to do multiple-field validation. If you want the There are a couple of ways to do multiple-field validation. If you want the