| published by | Adam Johnson |
|---|---|
| in blog | Adam Johnson |
| original entry | Django: A security improvement coming to format_html() |
Can you spot the problem with this Django snippet?
from django.utils.html import format_html
def user_snippet(user):
return format_html(f"<em>{user.name}</em>")
Well, the problem is that format_html() is passed an already-templated string!
Its escaping ability is not being used.
If the user name contains HTML, it …