Re: [Django] #10449: HTML accents not escaped out when using forms

[Django]

#10449: HTML accents not escaped out when using forms
-------------------------------------+-------------------------------------
     Reporter:  tipan                |                    Owner:  Abhishek
                                     |  Mane
         Type:  Bug                  |                   Status:  assigned
    Component:                       |                  Version:  1.0
  Internationalization               |
     Severity:  Normal               |               Resolution:
     Keywords:  accents, newforms    |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Abhishek Mane):

 Hi Jacob, thanks for the review and for closing the PR. Your point makes
 complete sense,I was definitely just memorializing a gotcha rather than
 fixing the root issue. You are completely right that forcing developers to
 sprinkle mark_safe() everywhere is terrible DX and opens up massive XSS
 risks if a .po file contains malicious HTML tags.

 I want to take a step back and figure out the right architectural approach
 before writing a new patch. As I see it, we have three potential paths
 forward:

 1. Selective Entity Decoding: Modify the translation wrapper to only
 unescape standard safe HTML entities (like & or ©) from the
 localized string, while keeping actual HTML tags (like <script>) strictly
 escaped.

 2. A Dedicated Template Filter: Introduce a new filter (e.g.,
 |safe_entities) that developers can use in templates when they suspect a
 translator might have injected entities. This avoids turning off full
 auto-escaping via mark_safe().

 3. WONTFIX / Documentation Only: Is this fundamentally a translator
 education issue? If a translator uses a literal & instead of &amp; in the
 .po file, Django's auto-escaper handles it perfectly in the template.
 Should we just officially document that translators must use literal
 characters rather than HTML entities unless the developer specifically
 intended the string to contain HTML?

 I'd love to get the team's thoughts on which of these directions (or
 another one I missed) is the right path forward so I can put together a
 proper PR.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/10449#comment:21>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019cd5a7fa22-5b3dbb3c-5601-448e-bdd8-86ab8673e43b-000000%40eu-central-1.amazonses.com.