Removing |safe filter from help_text.

[adamalton]

I've removed the |safe filter from the help_text as I can't see a reason to assume that it's safe (no more than the label, error messages or anything else). As always we should default to assuming that it's not. It can always be mark_safe()'d if necessary.

[tzangms]

The help_text is coded by developer, why should not assume that it's safe?

[adamalton]

Well, for a couple of reasons... The help_text could have been translated
with ugettext and so isn't necessarily directly controlled by the
developer. And also because even if it is coded by the developer, the
developer will be expecting it to be escaped by django (like everything
else is). It doesn't seem to make sense to special case the help_text.

Django's philosophy is to escape everything at the template stage, unless
it's an instance of django.utils.safestring.SafeString (i.e. mark_safe()
has been called on it). The help_text should be no exception to this,
otherwise we wouldn't be escaping the labels or error messages or widget
attributes or anything else under the control of the developer either.

People can call mark_safe() on their help_text if they want to use HTML in
it. But we should default to escaping the same as everything else.

Adam

On Monday, 17 February 2014, tzangms notifications@github.com wrote:

The help_text is coded by developer, why should not assume that it's safe?

Reply to this email directly or view it on GitHubhttps://github.com//pull/49#issuecomment-35229218
.

Sent from Gmail Mobile

[ghost]

+1

[adamalton]

Hi, any chance we could get this merged in?

Thanks
Adam

[timgraham]

For what it's worth, Django itself doesn't escape help_text in automatically generated forms.