Opened 7 years ago

Closed 7 years ago

#28874 closed Bug (fixed)

Errors on hidden input fields print out double escaped HTML

Reported by: Kyle Agronick Owned by: Daniil Ryzhkov
Component: Template system Version: 1.11
Severity: Normal Keywords:
Cc: Daniil Ryzhkov Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: yes UI/UX: yes

Description

Hidden input fields will print errors like "It\'s the thing &" as "(Hidden field test) It's the thing &". with HTML that is double escaped as

<ul class="errorlist nonfield">
    <li>(Hidden field test) It&amp;#39;s the thing &amp;amp;</li>
</ul>

Using this code:

views.py

class TestForm(forms.Form):
    test = forms.CharField(widget=forms.HiddenInput(), required=False)
    foo = forms.CharField()

class StoreGroupDelete(FormView):
    form_class = TestForm
    template_name = 'test/test_delete.html'

    def form_valid(self, form):
        form.add_error('test', 'It\'s the thing &')
        return self.form_invalid(form)

test.html

        <form method="post">
            {% csrf_token %}
            <ul>
            {{ form.as_ul }}
            </ul><input type="submit" />
        </form>

This only happens on hidden inputs. Regular fields work fine. This is on 1.11.7.

Change History (7)

comment:1 by Daniil Ryzhkov, 7 years ago

I was able to reproduce this behaviour and can confirm that this only happens for HiddenField. It works normally for CharField.

comment:2 by Daniil Ryzhkov, 7 years ago

I've checked Django code and it seems to be a django bug.
This line in django.forms.forms breaks affect of mark_safe:

According to git blame, this issue should should be reproducible in every django release for last 5 years:
I was able to fix this. I will write tests to cover this issue and submit my changes as PR on github.

comment:3 by Daniil Ryzhkov, 7 years ago

Cc: Daniil Ryzhkov added
Needs tests: set
Owner: changed from nobody to Daniil Ryzhkov
Status: newassigned
Triage Stage: UnreviewedAccepted

comment:4 by Daniil Ryzhkov, 7 years ago

Triage Stage: AcceptedReady for checkin
Version 0, edited 7 years ago by Daniil Ryzhkov (next)

comment:5 by Simon Charette, 7 years ago

Triage Stage: Ready for checkinAccepted

Please don't mark your own patch as RFC.

comment:6 by Daniil Ryzhkov, 7 years ago

Has patch: set

comment:7 by Tim Graham <timograham@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In 7c7bc639:

Fixed #28874 -- Prevented double escaping of errors on hidden form fields.

Note: See TracTickets for help on using tickets.
Back to Top