search

jazzband / django-floppyforms

Full control of form rendering in the templates.
http://django-floppyforms.readthedocs.org/
Other
839 stars 145 forks source link

mark_safe #68

Closed kefirbandi closed 9 years ago

kefirbandi commented 11 years ago

The as_XXX methods don't use mark_safe (opposed to the standard django as_XXX methods). Is this intentional?

brutasse commented 11 years ago

Do you see any difference in the resulting rendering?

Django forms use mark_safe() in conjunction with escape(). Here the template languages gives us escaping for free (unless |safe is used) and return SafeStrings which should already be marked as safe.

kefirbandi commented 11 years ago

The difference I see is this Assume I have a form with the following field:

name = forms.CharField(max_length=5, help_text='<b>Name</b>')

If I use django form I get Name (in bold, as I want). While if I use floppyforms it always appears as Name, which is not what I want, and it is the same if I use |safe or autoescape off

gregmuellegger commented 9 years ago

I think that is an imparity between Django and Floppyforms that we should not resolve. Django is a little inconsistent with which values are marked as safe and which are not.

For example form.as_p() will give you a "safe" string which will not be escaped in the template where as form['name'].help_text will give you a pure string which will be escaped when used in the template.

Floppyform should keep the more consistent behaviour of always sticking with one of those. The safer bet here is probably to go with autoescaping by default. If you want the string to be displayed as is in the template, then use mark_safe in the definition:

from django.utils.html import mark_safe

name = forms.CharField(help_text=mark_safe('<b>Name</b>')

That is something that we should document.

Thanks for the report!