Skip to content

Fix FieldRenderer label_html function returning unsafe html #805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lyndonscotthumphris wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix FieldRenderer label_html function returning unsafe html #805

lyndonscotthumphris wants to merge 1 commit into from

Conversation

@lyndonscotthumphris
Copy link

@lyndonscotthumphris lyndonscotthumphris commented Jan 29, 2026
edited
Loading

unsafe html can still be returned from a label for checkboxes.

Issue

In renderers.py for the render method on `FieldRenderer:

django-bootstrap5/src/django_bootstrap5/renderers.py

Lines 484 to 487 in c064893

if self.field_before_label():
label = self.get_label_html()
field = field + label
label = EMPTY_SAFE_HTML

label is added to field on L486, which if label is not safe, escapes the checkbox field html.

Suggested Fix

The fix i propose is to return the EMPTY_SAFE_HTML if "skip" is chosen.
Otherwise let the render_label method handle it.

Side note: On current code self.show_label can be any value, i.e., "false", which if paired with an empty label "" would still invalidate the html (which is the case for our repo 😅 ).

@scuyangguang
Copy link

scuyangguang commented Jan 29, 2026 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lyndonscotthumphris @scuyangguang