Opened 19 months ago

Last modified 4 months ago

#34609 closed Cleanup/optimization

Deprecate format_html calls without args or kwargs — at Version 1

Reported by: Adam Johnson Owned by: nobody
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Adam Johnson)

In my experience, a common misuse of format_html is to format the HTML before calling it:

format_html(f"<i>{name}")

This makes it act like mark_safe, allowing data through without escaping. It provides a false sense of security since format_html is meant to be the "safe way".

I propose we deprecate calls to format_html that don’t pass args or kwargs, and eventually raise a TypeError for such cases.

(Following improvement to format_html docs in #34595.)

Change History (1)

comment:1 by Adam Johnson, 19 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top