Verify that html escaping is done on any Django messages

[mpdehaan]

trafficstars

In a few places in the code we use the Django messages feature to feature alerts at the top of the screen.

We need to make sure we html escape any project names or user data that can be shown there to make sure they do not include HTML.

This is already done in the the list view pages and is handled by the forms, but needs to happen in the messages usage as well.

[JohnVonNeumann]

To provide context, I am a Django noob, so I'm going off limited understanding, but these docs would indicate that escaping is already occuring and is the default behaviour.

https://docs.djangoproject.com/en/2.1/ref/templates/language/#automatic-html-escaping

[mpdehaan]

Hi,

We’re using Jinja2 throughout and it does not auto escape HTML - this is fine actually - we are not doing this for the form pages (forms code handles this for us) so we only have to consider this when passing context to the list pages.

Per previous comments we are doing it explicitly and reviewing the part that does it for messages is the last little bit to change sometime.

The messages part are the strings that pop up and say things like “Project Foo Added”.