Filtering errors by safe is NOT safe!

This corrects the assumption that django errors are safe. eg: If you have a GET form with a field call foo and insert: ?foo=bar into the url, where bar is not a valid choice, the error for a ChoiceField will be: Select a valid choice. bar is not one of the available choices. Obviously this is a VERY bad thing to mark as safe. Imagine we have: ?foo=<script>alert('This is bad')</script> We are now manipulating the page into executing code... This is bad. https://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-escaping
DanielKotik · Sep 17, 2011 · afb7fd9 · afb7fd9
1 parent 381d781
commit afb7fd9
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/uni_form/templates/uni_form/field.html b/uni_form/templates/uni_form/field.html
@@ -6,7 +6,7 @@
  <div id="div_{{ field.auto_id }}" class="ctrlHolder{% if field.errors %} error{% endif %}{% if field|is_checkbox %} checkbox{% endif %}{% if field.field.widget.attrs.class %} {{ field.field.widget.attrs.class }}{% endif %}{% if field.css_classes %} {{ field.css_classes }}{% endif %}">
  {% for error in field.errors %}
  <p id="error_{{ forloop.counter }}_{{ field.auto_id }}" class="errorField">
- {{ error|safe }}
+ {{ error }}
  </p>
  {% endfor %}
 

diff --git a/uni_form/templates/uni_form/field.strict.html b/uni_form/templates/uni_form/field.strict.html
@@ -6,7 +6,7 @@
  <div id="div_{{ field.auto_id }}" class="ctrlHolder{% if field.errors %} error{% endif %}{% if field|is_checkbox %} checkbox{% endif %}{% if field.field.widget.attrs.class %} {{ field.field.widget.attrs.class }}{% endif %}{% if field.css_classes %} {{ field.css_classes }}{% endif %}">
  {% for error in field.errors %}
  <p id="error_{{ forloop.counter }}_{{ field.auto_id }}" class="errorField">
- {{ error|safe }}
+ {{ error }}
  </p>
  {% endfor %}