#34609: Deprecate format_html calls without args or kwargs
------------------------------------------------+------------------------
Reporter: Adam Johnson | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: dev
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
In my experience, a common misuse of `format_html` is to format the HTML
before calling it:
{{{
format_html(f"<i>{name}")
}}}
This makes it act like `mark_safe`, allowing data through without
escaping. It provides a false sense of security since `format_html` is
meant to be the "safe way".
I propose we deprecate calls to format_html that don’t pass `args` or
`kwargs`, and eventually raise a `TypeError` for such cases.
--
Ticket URL: <https://code.djangoproject.com/ticket/34609>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070188708a2249-2f5bab7a-ce1d-4b85-9bfb-e65597e60b98-000000%40eu-central-1.amazonses.com.
