On Mon, 2008-08-25 at 10:35 -0700, Alex G wrote:
> Hi there,
>
> I have been trying to get a function call into a widget argument, but
> have not been able to at the template level, because it would appear
> that my safe_strings are being escaped somewhere down in the
> framework. I have created a widget and mark_safe'd an attribute
> value, but no matter what, since it's pre-escaped by the time it
> bubbles up to the template level, I can't not escape it (well... I
> could use an html library to de-escape it, but that seems kludgy).
>
> I've traced the execution and found the culprit to be the
> django.forms.util.flatatt function. That is:
>
> from django import forms
> from django.utils.safestring import mark_safe
>
> class MyWidget(forms.TextInput):
> def __init__(self, *args, **kwargs):
> attrs = kwargs.setdefault('attrs', {})
> attrs['safe_string'] = "will o' the wisp"
> attrs['normal_string'] = "cat o' nine tails"
> super(MyWidget, self).__init__(*args, **kwargs)
>
> w = MyWidget()
> w.render("field_name", "")
>
> #=> u'<input normal_string="cat o' nine tails" type="text"
> name="field_name" safe_string="will o' the wisp" />'
>
> You can see that both the unsafe and safe strings were escaped.
But since we can't see the render() method for your widget, we have no
way to know how it determines the difference between safe and unsafe
strings. Neither of the strings in your __init__ method will be treated
as "safe", so you must be doing something special in render(). This is
mostly just a tip for the future, since you've actually identified a bug
lower down -- but we need to be able to see the relevant parts to debug
a problem.
[...]
> Anyway, like I said, the culprit is:
>
> # django.forms.util
>
> def flatatt(attrs):
>
> """
> Convert a dictionary of attributes to a single
> string.
> The returned string will contain a leading space followed by
> key="value",
> XML-style pairs. It is assumed that the keys do not need to be
> XML-
> escaped.
> If the passed dictionary is empty, then return an empty
> string.
> """
> return u''.join([u' %s="%s"' % (k, escape(v)) for k, v in
> attrs.items()]) # <-- right there, the escape(v) call... should this
> be conditional_escape?
Yes. This is a bug. Please open a ticket for it.
Regards,
Malcolm
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
