django-bootstrap-form
django-bootstrap-form copied to clipboard
tzangms
Removing |safe filter from help_text.
I've removed the |safe filter from the help_text as I can't see a reason to assume that it's safe (no more than the label, error messages or anything else). As always we should default to assuming that it's not. It can always be mark_safe()'d if necessary.
Well, for a couple of reasons... The help_text could have been translated with ugettext and so isn't necessarily directly controlled by the developer. And also because even if it is coded by the developer, the developer will be expecting it to be escaped by django (like everything else is). It doesn't seem to make sense to special case the help_text.
Django's philosophy is to escape everything at the template stage, unless it's an instance of django.utils.safestring.SafeString (i.e. mark_safe() has been called on it). The help_text should be no exception to this, otherwise we wouldn't be escaping the labels or error messages or widget attributes or anything else under the control of the developer either.
People can call mark_safe() on their help_text if they want to use HTML in it. But we should default to escaping the same as everything else.
Adam
On Monday, 17 February 2014, tzangms [email protected] wrote:
The help_text is coded by developer, why should not assume that it's safe?
Reply to this email directly or view it on GitHubhttps://github.com/tzangms/django-bootstrap-form/pull/49#issuecomment-35229218 .
Sent from Gmail Mobile
