Re: [Django] #34609: Deprecate format_html calls without args or kwargs

Thu, 01 Jun 2023 05:34:08 -0700 

#34609: Deprecate format_html calls without args or kwargs
--------------------------------------+------------------------------------
     Reporter:  Adam Johnson          |                    Owner:  Bhuvnesh
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  Utilities             |                  Version:  dev
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  0                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Description changed by Michael Howitz:

Old description:

> In my experience, a common misuse of `format_html` is to format the HTML
> before calling it:
>
> {{{
> format_html(f"<i>{name}")
> }}}
>
> This makes it act like `mark_safe`, allowing data through without
> escaping. It provides a false sense of security since `format_html` is
> meant to be the "safe way".
>
> I propose we deprecate calls to format_html that don’t pass `args` or
> `kwargs`, and eventually raise a `TypeError` for such cases.
>
> (Following improvement to `format_html` docs in #34595.)

New description:

 In my experience, a common misuse of `format_html` is to format the HTML
 before calling it:

 {{{
 format_html(f"<i>{name}</i>")
 }}}

 This makes it act like `mark_safe`, allowing data through without
 escaping. It provides a false sense of security since `format_html` is
 meant to be the "safe way".

 I propose we deprecate calls to format_html that don’t pass `args` or
 `kwargs`, and eventually raise a `TypeError` for such cases.

 (Following improvement to `format_html` docs in #34595.)

--

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34609#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018876f36341-d19566fd-f49e-4ec5-a214-7478266643f5-000000%40eu-central-1.amazonses.com.

Reply via email to