Commits

Mark Lavin committed a4fec00

Correct overly zealous escaping related to the fix for #63.

  • Participants
  • Parent commits dfb613d

Comments (0)

Files changed (3)

File docs/lookups.rst

     ``get_item_id``, ``get_item_value`` and ``get_item_label``. If you want to
     add additional keys you should add them here.
 
-    The results of ``get_item_id``, ``get_item_value`` and ``get_item_label`` are
-    conditionally escaped to prevent Cross Site Scripting (XSS) similar to the templating
-    language. If you know that the content is safe and you want to use these methods
+    The results of ``get_item_label`` is conditionally escaped to prevent
+    Cross Site Scripting (XSS) similar to the templating language. 
+    If you know that the content is safe and you want to use these methods
     to include HTML should mark the content as safe with ``django.utils.safestring.mark_safe``
-    inside the ``get_item_*`` methods.
+    inside the ``get_item_label`` method.
+
+    ``get_item_id`` and ``get_item_value`` are not escapted by default. These are
+    not a XSS vector with the built-in JS. If you are doing additional formating using
+    these values you should be conscience of this fake and be sure to escape these
+    values.
 
     :param item: An item from the search results.
     :return: A dictionary of information for this item to be sent back to the client.

File docs/releases.rst

 Release Notes
 ==================
 
+v0.6.0 (Released TBD)
+--------------------------------------
+
+
+Backwards Incompatible Changes
+________________________________
+
+- ``get_item_value`` and ``get_item_id`` are no longer marked as safe by default.
+- Removed AutoComboboxSelectField and AutoComboboxSelectMultipleField. These were deprecated in 0.5.
+
+
 v0.5.2 (Released 2012-06-27)
 --------------------------------------
 

File selectable/base.py

 
     def format_item(self, item):
          return {
-            'id': conditional_escape(self.get_item_id(item)),
-            'value': conditional_escape(self.get_item_value(item)),
+            'id': self.get_item_id(item),
+            'value': self.get_item_value(item),
             'label': conditional_escape(self.get_item_label(item))
         }