format_html() should explicitly mention that format_string is not escaped and that result is safe
The docs for format_html mention that args and kwargs are escaped but it does not say anything about format_string (which is, in fact, not escaped). Readers could benefit from this clarification to avoid putting unsafe content in format_string.
Similarly, the docs could be extended to explicitly mention that the result is marked as safe. Mariusz suggested this text (thanks!):
The output has :func:`~django.utils.safestring.mark_safe` applied.
Change History
(8)
| Summary: |
`format_html` should explicitely mention rgar `format_string` is not escaped → format_html() should explicitely mention format_string is not escaped.
|
| Triage Stage: |
Unreviewed → Accepted
|
| Description: |
modified (diff)
|
| Summary: |
format_html() should explicitely mention format_string is not escaped. → format_html() should explicitely mention format_string is not escaped and that result is safe
|
| Summary: |
format_html() should explicitely mention format_string is not escaped and that result is safe → format_html() should explicitly mention that format_string is not escaped and that result is safe
|
| Owner: |
changed from nobody to AP Jama
|
| Status: |
new → assigned
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
I'm not sure how
format_html()could be useful with escapedformat_string, however, a little clarification won't hurt.