Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Wagtailadmin form field helpers should allow HTML in help_text

See original GitHub issue

The Django docs indicate that help_text should be treated as an HTML string and displayed unescaped on forms:

wagtailadmin/shared/field.html does not do this, which can lead to incorrect treatment of help text that comes from Django itself. Specifically, the ‘change password’ form tries to display the AUTH_PASSWORD_VALIDATORS rules as a <ul>:

screen shot 2017-02-23 at 11 36 03

We should change our template to use {{ field.help_text|safe }} - but before we do so, we need to audit the help text of our forms to ensure that it really is HTML-safe (i.e. any < > & characters are escaped as HTML entities, and any included user-supplied strings are escaped using django.utils.html.escape()).

Issue Analytics

  • State:open
  • Created 7 years ago
  • Reactions:2
  • Comments:18 (7 by maintainers)

github_iconTop GitHub Comments

Pomaxcommented, May 20, 2020

Was there any movement on this? It would be great to be able to put proper markup in help_text and have that render as expected on that admin side still.

harrislapiroffcommented, Oct 26, 2021

It seems to be possible to include HTML in help_text using Django’s mark_safe, e.g.,

    markdown_content = models.TextField(
        help_text=mark_safe('This field will be processed as <a href="">Markdown</a>.'),

I guess this is considered broken because it’s inconsistent with Django’s behavior, but explicitly marking strings as safe seems like a good practice to me. Adding a note to the docs might be a quick first solution.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Wagtail 2.9.3 release notes
This release addresses an HTML injection vulnerability through help text in the wagtail.contrib.forms form builder app. When a form page type is made...
Read more >
wagtail - Is there a way to override the label and help text on a ...
There is a way to overwrite the default help_text and label (called verbose_name ) on a per-field basis. MyPage.
Read more >
Allowing HTML within help text is an intentional design decision by Django ... can secure their form page templates by rendering forms field-by-field...
Read more >
Torchbox : Security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2022‑21683 200 +Info 2022‑01‑18 2022‑01‑26 4.0 None 2 CVE‑2021‑32681 79 XSS...
Read more >
Wagtail Documentation Release 401 The nexturl argument ...
Site owners who wish to re-enable the use of HTML within help text (and are willing ... any HTML tags used withina form...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found