Skip to content

[S308] mark_safe for HTML constants #16702

Closed
@mfontana-elem

Description

@mfontana-elem

Question

I have a question regarding this linting rule (imported from flake8-bandit).

I think I understand the problems with using django.utils.safestring.mark_safe. But know that format_html is being deprecated for being used without arguments¹, I struggle to find what would be the correct way to handle something as simple as creating a filter that performs:

def myfilter(case, ...):
  if case == "hello":
    return "<i>Hello world!</i>"
  elif case == "bye":
    return "<b>Bye world!</b>"
  else:
    ...

(This is not an accurate filter API, but illustrates the purpose).

In this case I know the HTML is safe, but I don't understand how to create a safestring from it without getting the DeprecationWarningError from Django (format_html) or noqa'ing the S308 rule (suspicious-mark-safe-usage).

I fail to see how a string constant could introduce a XSS unless there is programmer negligence, in which case all bets are off. Having said this, I might be the negligent here! 😅

¹: And for a good reason. When coupled with f-strings interpolation happens before Django gets to escape inputs.

Version

ruff 0.8.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    ruleImplementing or modifying a lint rule

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions