Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Wagtailadmin form field helpers should allow HTML in help_text

See original GitHub issue

The Django docs indicate that help_text should be treated as an HTML string and displayed unescaped on forms: https://docs.djangoproject.com/en/1.10/ref/models/fields/#help-text

wagtailadmin/shared/field.html does not do this, which can lead to incorrect treatment of help text that comes from Django itself. Specifically, the ‘change password’ form tries to display the AUTH_PASSWORD_VALIDATORS rules as a <ul>:

screen shot 2017-02-23 at 11 36 03

We should change our template to use {{ field.help_text|safe }} - but before we do so, we need to audit the help text of our forms to ensure that it really is HTML-safe (i.e. any < > & characters are escaped as HTML entities, and any included user-supplied strings are escaped using django.utils.html.escape()).

Issue Analytics

State:
Created 7 years ago
Reactions:2
Comments:18 (7 by maintainers)

Top GitHub Comments

4reactions

Pomaxcommented, May 20, 2020

Was there any movement on this? It would be great to be able to put proper markup in help_text and have that render as expected on that admin side still.

1reaction

harrislapiroffcommented, Oct 26, 2021

It seems to be possible to include HTML in help_text using Django’s mark_safe, e.g.,

    markdown_content = models.TextField(
        blank=True,
        null=True,
        help_text=mark_safe('This field will be processed as <a href="https://daringfireball.net/projects/markdown/">Markdown</a>.'),
    )

I guess this is considered broken because it’s inconsistent with Django’s behavior, but explicitly marking strings as safe seems like a good practice to me. Adding a note to the docs might be a quick first solution.

Top Results From Across the Web

Wagtail 2.9.3 release notes

This release addresses an HTML injection vulnerability through help text in the wagtail.contrib.forms form builder app. When a form page type is made...

wagtail - Is there a way to override the label and help text on a ...

There is a way to overwrite the default help_text and label (called verbose_name ) on a per-field basis. MyPage.

CVE-2020-15118

Allowing HTML within help text is an intentional design decision by Django ... can secure their form page templates by rendering forms field-by-field...

Torchbox : Security vulnerabilities - CVE Details

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2022‑21683 200 +Info 2022‑01‑18 2022‑01‑26 4.0 None 2 CVE‑2021‑32681 79 XSS...

Wagtail Documentation Release 401 The nexturl argument ...

Site owners who wish to re-enable the use of HTML within help text (and are willing ... any HTML tags used withina form...