Opened 16 months ago
Last modified 16 months ago
#34595 closed Cleanup/optimization
format_html() should explicitely mention format_string is not escaped and that result is safe — at Version 2
| Reported by: | Natalia Bidart | Owned by: | nobody |
|---|---|---|---|
| Component: | Template system | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description (last modified by )
The docs for format_html mention that args and kwargs are escaped but it does not say anything about format_string (which is, in fact, not escaped). Readers could benefit from this clarification to avoid putting unsafe content in format_string.
Similarly, the docs could be extended to explicitly mention that the result is marked as safe. Mariusz suggested this text (thanks!):
The output has :func:`~django.utils.safestring.mark_safe` applied.
Change History (2)
comment:1 by , 16 months ago
| Summary: | `format_html` should explicitely mention rgar `format_string` is not escaped → format_html() should explicitely mention format_string is not escaped. |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 16 months ago
| Description: | modified (diff) |
|---|---|
| Summary: | format_html() should explicitely mention format_string is not escaped. → format_html() should explicitely mention format_string is not escaped and that result is safe |
Note:
See TracTickets
for help on using tickets.
I'm not sure how
format_html()could be useful with escapedformat_string, however, a little clarification won't hurt.