search

jazzband / django-debug-toolbar

A configurable set of panels that display various debug information about the current request/response.
https://django-debug-toolbar.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
8.07k stars 1.05k forks source link

Fixed #1682 -- alert user when using file field without proper encoding #1933

Closed bkdekoning closed 2 months ago

bkdekoning commented 3 months ago

Description

Added functionality where the toolbar inspects the loaded HTML content for a form that includes a file input but does not have the encoding type set to multipart/form-data, and warns the user if so. This is implemented in a separate alerts panel, as discussed. The alerts panel is placed at the top of the toolbar, to ensure that it receives appropriate attention when issues arise. My one concern with this implementation is that panel may cause people to expect that the toolbar checks for a wide range of issues, whereas it currently just checks for a single one.

What I did specifically is subclass Python's HTML parser and added a function called check_invalid_file_form_configuration in panels/templates/panel.py. The function checks all forms for a file input type and, if it exists, checks if the form has encoding type multipart/form-data. If it does not, the error message is shown in the alerts panel by passing it to record_stats. It also amends the nav_subtitle property of the panel to notify the user that there is an issue. Added four tests and checked that the test suite passes for all compatible versions of Django and Python through Tox.

Fixes #1682

Checklist:

tim-schilling commented 3 months ago

By the way, you don't have to recreate the PRs. I think for 95% of cases, we're happy with re-using the same PR for a change.

bkdekoning commented 3 months ago

While working on the above, I realized that I am implicitly assuming that the form is not nested. While forms should not be nested, I tested such a construction with Chrome, Firefox, and Edge, and they handle it by simply ignoring the "child" form.

As such, we might end up in a situation where we are not alerting the developer to an issue that may exist for some users and vice versa -- when the encoding is properly set in the "child" form but not the "parent" form. Is this something we want to issue an additional alert for or would that be overly cautious?

To illustrate; the below code would not cause an alert, while it would cause an encoding issue on the above mentioned browsers:

<form>
  <form enctype="multipart/form-data">
    <input type ="file">
  </form>
</form>
tim-schilling commented 3 months ago

As a heads up, I probably won't get to this towards the end of June. Things are ramping up elsewhere and the toolbar is taking a back seat. Thank you for making the changes so far!

bkdekoning commented 3 months ago

Alright, thanks for the heads-up. For future reference, I think the remaining items to settle on are:

Good luck with your other activities!

tim-schilling commented 3 months ago

Whether we should handle nested forms

Nested forms are against the HTML spec, so I think what we have is fine. Most people aren't relying on this to be perfect, so let's get something "good" out.

Whether we should handle direct form references in file inputs

While I'd like to see us do that, I don't think we have to worry too much about it. It would take a fair amount of work to get a Django form renderer to handle that. Let's lean into what's the common flow for Django devs.

tim-schilling commented 3 months ago

Whether to use enable_instrumentation or init to initialize alerts

Looking at this again, it's not a big deal. Let's go with what you have.

bkdekoning commented 3 months ago

Whether we should handle direct form references in file inputs

While I'd like to see us do that, I don't think we have to worry too much about it. It would take a fair amount of work to get a Django form renderer to handle that. Let's lean into what's the common flow for Django devs.

Just to be sure: I did implement this. When the parser sees a file input field that directly references a form, it adds it to the referenced_file_inputs list. The check_invalid_file_form_configuration function then fetches the referenced form's encoding type and checks if it is set to multipart/form-data.

tim-schilling commented 3 months ago

Oh, perfect!

Take a look at the latest commits and let me know if you have any issues with them. The biggest changes were moving the panel and rewording the messages a bit.

bkdekoning commented 3 months ago

All looks good to me!

tim-schilling commented 3 months ago

@matthiask I'd like to get your approval on the new panel before we merge this.

matthiask commented 2 months ago

Yes sure, let's do it!

tim-schilling commented 2 months ago

Thank you @bkdekoning! I've wanted this for so long!

bkdekoning commented 2 months ago

Thank you, @tim-schilling and @matthiask! Very excited to have made my first contribution. I really appreciated the thorough review and guidance.

matthiask commented 2 months ago

I haven't dont much here, the thank you belongs to you and Tim!