Opened 5 years ago
Last modified 5 years ago
#31203 closed Bug
Using Markup in ValidationError — at Initial Version
| Reported by: | Felipe | Owned by: | |
|---|---|---|---|
| Component: | Core (Other) | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Not 100% positive this is a bug, but definitely a breaking change in Django.
In 1.11 ValidationError used force_text to stringify its messages, but in 2.2 and 3.0, it's using str.
force_text used to check for subtypes of six.text_type and let those through unchanged, whereas str forces the str conversion.
This interacts poorly with Markup, which 'unwraps' itself in the str method. Here's a sample problem:
type(next(iter(ValidationError(
message=Markup('%(x)s had a problem'),
params={'x': Markup('<span>X</span>')}
)))) is str
That error should render on a form as a span followed by some text; however, the use of str causes the 'safeness' of the markup to be lost and thus it's re-escaped and the HTML leaks into the page.
Maybe Markup should be returning self in str, since it's a str subclass. This bug can be worked around from client code using something like this:
class StubbornMarkup(Markup):
def __str__(self):
return self
type(next(iter(ValidationError(
message=StubbornMarkup('%(x)s had a problem'),
params={'x': Markup('<span>X</span>')}
)))) is StubbornMarkup
This is vaguely related to #13723, which seems to suggest the use of Markup should be supported.