Escape format parameter via `html_escape_once` in `safe_format`
What does this MR do and why?
This allows format
parameter in safe_format
to contain escaped entities and avoid
double escaping.
This is convenient for the following pattern we often see. From https://docs.gitlab.com/ee/development/i18n/externalization.html#including-angle-brackets:
# before
html_escape_once(_('In < hour')).html_safe
# after
safe_format(_('In < hour'))
This also drops the risky .html_safe
call from these instances.
Note that html_escape_once
is also faster than html_escape
.
In terms of security, the output of html_escape_once
and html_escape
is equivalent with the sole exception that the former does not escape
already escaped entities.
Refs
- Follow-up of Add convenience helper method `safe_format` (!118632 - merged)
- Contributes to Enforce use of `safe_format` for externalized s... (#374091 - closed)
- Contributes to Prohibit calling .html_safe in views (#408826)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Peter Leitzen