format_html
detected PY-S0901 915
916 def get_plural_label(self, idx):
917 """Return label for plural form."""
918 return format_html( 919 PLURAL_TITLE,
920 name=self.get_plural_name(idx),
921 examples=", ".join(self.examples.get(idx, [])),
103 if only:
104 return params[only]
105
106 return format_html(SOCIAL_TEMPLATE, separator=separator, **params)107
108
109def get_auth_name(auth: str):
98
99 if not params["image"].startswith("http"):
100 params["image"] = staticfiles_storage.url("auth/" + params["image"])
101 params["icon"] = format_html(IMAGE_SOCIAL_TEMPLATE, separator=separator, **params)102
103 if only:
104 return params[only]
148 for language in data:
149 name, translators = language.popitem()
150 language_outputs.append(
151 format_html_or_plain(152 language_format,
153 language=name,
154 translators=format_html_or_plain_join(
46 for key, value in kwargs.items()
47 }
48 if safe_kwargs:
49 return format_html(escape(format_string), **safe_kwargs) 50 return mark_safe(escape(format_string)) # noqa: S308
51
52
Django's format_html()
function can be used to safely insert untrusted user data into HTML.
However, passing an already formatting string to format_html()
has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.
format_html(f"<b>{user_input}</b>") # `user_input` is not being sanitized!
format_html("<b>{}</b>", user_input) # This can safely be used.
format_html