Description
Question
I have a question regarding this linting rule (imported from flake8-bandit
).
I think I understand the problems with using django.utils.safestring.mark_safe
. But know that format_html
is being deprecated for being used without arguments¹, I struggle to find what would be the correct way to handle something as simple as creating a filter that performs:
def myfilter(case, ...):
if case == "hello":
return "<i>Hello world!</i>"
elif case == "bye":
return "<b>Bye world!</b>"
else:
...
(This is not an accurate filter API, but illustrates the purpose).
In this case I know the HTML is safe, but I don't understand how to create a safestring from it without getting the DeprecationWarningError
from Django (format_html
) or noqa'ing the S308 rule (suspicious-mark-safe-usage
).
I fail to see how a string constant could introduce a XSS unless there is programmer negligence, in which case all bets are off. Having said this, I might be the negligent here! 😅
¹: And for a good reason. When coupled with f-strings interpolation happens before Django gets to escape inputs.
Version
ruff 0.8.0