Use Template.render(context) as initial forms.HiddenInput value

wiltso · May 24, 2022, 7:51pm

My goal is to use the rendered out template as the initial value of the HiddenInput field. But as the out rendered contains characters like " this then creates a problem when the form field is rendered out.

This is already a problem with a simple template like <body style="box-sizing: border-box; margin: 0;"></body>
Which then creates a form like this:

<form role="form" method="post" style="margin: 0;">
            <input type="hidden" name="csrfmiddlewaretoken" value="ZsORB2ibL6YfVWG2oY6TkhwXRThQSE0CSXEpiVgpZiCU9DfDRQEHmw56dWANQJLi">
            <input type="hidden" name="template" value="<body style=" box-sizing:="" border-box;="" margin:="" 0;"="">" id="id_template"&gt;
        </form>

As can be observer the id="id_template"&gt is outside of the input value section.

The form is just created like this:

class TemplateModelForm(ModelForm):
    class Meta:
        model = Template
        fields = ("template",)
        widgets = {"template": forms.HiddenInput()}

    def __init__(self, *args, **kwargs):
        self.page_view_context = kwargs.pop("page_view_context", None)
        super().__init__(*args, **kwargs)
        template = get_template(self.instance.name)
        self.initial["template"] = template.render(self.page_view_context)

I have tried to use mark_safe and force_str on the rendered content but it didn’t help.

Any suggestion on what I could do to solve this issue? I also know that this is probably not a very common issue

KenWhitesell · May 24, 2022, 8:08pm

I don’t quite follow what you’re trying to accomplish here - I certainly wouldn’t want to send anything out to the user that can’t be validated and verified when it’s sent back in - it’s too easy for the user to modify it.

Given that you don’t know what’s going to be rendered, I don’t think there is a guaranteed way to ensure it’s safe. (Mark_safe is going in the opposite direction - you definitely don’t want to do that.)

I’d probably either stash the rendered template into session (most likely), or do something like base64 encode the rendered text if the client actually needed to see that hidden field.

wiltso · May 24, 2022, 8:23pm

Thanks for the encoding idea seams like it will work

Topic		Replies	Views
Rendering a field's widget value in a template, with correct format Templates & Frontend	13	160	August 7, 2024
template using old content upon rerender Using Django	4	2007	February 27, 2020
Is the value attribute of an HTML input tag a reflected cross-site scripting risk? Using Django	1	2715	February 15, 2021
Force Django to recognize a model field value as a template tag value? Using Django	2	823	October 18, 2021
Django forms \| Passing "value" widget attribute. Forms & APIs	3	1216	February 12, 2024

Use Template.render(context) as initial forms.HiddenInput value

Related topics