Opened 19 months ago
Last modified 4 months ago
#34609 closed Cleanup/optimization
Deprecate format_html calls without args or kwargs — at Version 5
Reported by: | Adam Johnson | Owned by: | Bhuvnesh |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
In my experience, a common misuse of format_html
is to format the HTML before calling it:
format_html(f"<i>{name}</i>")
This makes it act like mark_safe
, allowing data through without escaping. It provides a false sense of security since format_html
is meant to be the "safe way".
I propose we deprecate calls to format_html that donβt pass args
or kwargs
, and eventually raise a TypeError
for such cases.
(Following improvement to format_html
docs in #34595.)
Change History (5)
comment:1 by , 19 months ago
Description: | modified (diff) |
---|
comment:2 by , 19 months ago
Triage Stage: | Unreviewed β Accepted |
---|
comment:3 by , 19 months ago
comment:4 by , 19 months ago
Owner: | changed from | to
---|---|
Status: | new β assigned |
comment:5 by , 19 months ago
Description: | modified (diff) |
---|
Note:
See TracTickets
for help on using tickets.
django/utils/html.py
tests/utils_tests/test_html.py
Are these changes relevant? I don't have much experience with templates, still a lot to learn .π