Re: [Django] #4991: contrib.admin does not escape help_text

[Django]

#4991: contrib.admin does not escape help_text
--+
 Reporter:  anonymous |Owner:  adrian
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  help_text escape  | Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by aaugustin):

 * component:  contrib.admin => Documentation
 * has_patch:  1 => 0
 * type:  Uncategorized => Cleanup/optimization
 * stage:  Someday/Maybe => Accepted


Comment:

 If we want to document the edge case on the edge of an edge case, we can
 do it now ;-)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.bb46c86a8199e4b6c0b60eddf8cc5ef5%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #4991: contrib.admin does not escape help_text

[Django]

#4991: contrib.admin does not escape help_text
-+-
 Reporter:  anonymous|Owner:  adrian
 Type:  Uncategorized|   Status:  new
Component:  contrib.admin|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  help_text escape | Triage Stage:
Has patch:  1|  Someday/Maybe
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by russellm):

 @claudep - In this case, I'm referring to a slightly different case for
 translations. Translations from po files are relatively safe because they
 need to be committed to the repository before use. I was referring to the
 possible case of someone storing translations in the database as runtime
 data, and using those as help_text. It's an edge case on the edge of an
 edge case, but it's possible.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #4991: contrib.admin does not escape help_text

[Django]

#4991: contrib.admin does not escape help_text
-+-
 Reporter:  anonymous|Owner:  adrian
 Type:  Uncategorized|   Status:  new
Component:  contrib.admin|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  help_text escape | Triage Stage:
Has patch:  1|  Someday/Maybe
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-

Comment (by claudep):

 As far as translations are concerned, see #18208. We chose to consider
 translations as a safe source. It's the developper's duty to check that no
 suspicious code is inserted by mean of translations. So I think we should
 exclude that use case from the current issue, unless someone wants to
 reconsider #18208.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #4991: contrib.admin does not escape help_text

[Django]

#4991: contrib.admin does not escape help_text
-+-
 Reporter:  anonymous|Owner:  adrian
 Type:  Uncategorized|   Status:  new
Component:  contrib.admin|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  help_text escape | Triage Stage:
Has patch:  1|  Someday/Maybe
  Needs tests:  0|  Needs documentation:  0
Easy pickings:  0|  Patch needs improvement:  0
 |UI/UX:  0
-+-
Changes (by russellm):

 * status:  closed => new
 * severity:   => Normal
 * resolution:  wontfix =>
 * easy:   => 0
 * ui_ux:   => 0
 * type:   => Uncategorized
 * stage:  Design decision needed => Someday/Maybe


Comment:

 Although the documentation from [5816] does say help_text isn't escaped,
 it could be more clear that this means user-derived content shouldn't be
 exposed through help_text. Putting user content in help_text is an edge
 case, but it's a conceivable edge case (e.g., user-submitted
 translations), and we're departing from Django's usual "security by
 default" policy here, so it's worth being explicit.

 Longer term, in the interests of consistency and "security by default", it
 might also be worth reversing this decision; we have mark_safe(), so if
 someone needs markup in help_text. However, there's obviously backwards
 compatibility concerns in doing this, so we'd need a plan for making this
 change.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.