koniiiik is a bit behind, finally making sense of what was written earlier. :)
dodobas
what is the preferred way to sanitize user input in Django ?
kezabelle
template_name is only used if you set one. otherwise a template name is derived by get_template_names() (which is the whole point of that method)
mar77i
apollo13: the plan was to use the automatic .template_names everyhwere.
graphene has quit
kezabelle
the automatic template name for a createview would be something like app/modelname_form.html (based on apollo13's mention of the suffix) I think, so ... you can that?
mar77i
kezabelle: yeah, but createview doesn't get a template name from get_template_names(), because self.object is None there and the model would be in self.form.model
it's just inconsequential.
kezabelle
... so set the model on the view
apollo13
mar77i: you'd set the model on the view class
graphene joined the channel
koniiiik
dodobas: Sanitizing input is not the best way to look at the problem, really – it's better to ensure that you properly render any unsafe values on the output in a way that makes sense for that particular output.
mar77i
that's what I'm doing. it just confused me because the way I was reading the code up to that point suggested that for form-like views the model was available through self.form.model.
kezabelle
dodobas: santizing in what way?
mar77i
only that it's being missed out by get_template_names()...
koniiiik
dodobas: Unless, of course, you're talking about validation of user input, which is a different thing. :)
kezabelle
is there ever a self.form?
mar77i
look, the fact is that SingleObjectTemplateResponseMixin is not written with edit.py in mind, and that's an oversight.
kezabelle
why is that an oversight?
it's already generic to a single-object, and derives its templates from that
dodobas
kezabelle: it's a 7years old project that is abusing mark_safe/safe to render chunks of templates and JS, so ... it's not perfect
mar77i
because all other edit.py views are perfectly fine not specifying a model because there's self.object, which get_template_names() takes care of.
dodobas
koniiiik: yeah, validation also works
roadie has quit
mar77i
only createview doesn't, and hence needs a model and it really took me a long time to figure out why the view wasn't configured correctly (missing a model, and therefore missing a template name).
dodobas
just want to stop saving junk in the database, which might render somewhere ... :)
kezabelle
dodobas: bleach for HTML, probably.
dodobas
no one wants to crate a company named `<script>alert('XSS attack!');</script>` until they do :)
mar77i
bleach is nice.
koniiiik
mar77i: So what you mean is that you'd like for ModelFormMixin.get_template_names to also include a fallback in case there's no model defined directly on the view class, but there is a form_class, and it happens to be a ModelForm, to use the model from that as the model class?
mar77i
koniiiik: you understood the problem, but I think you're also touching the topic of it being a bit contrived. I think for ModelFormViews there might be a second subclass of SingleObjectTemplateResponseMixin, or even a simple @property model(): return self.form_class.model, as I suggested earlier.
koniiiik
mar77i: The property thing does not sound like a particularly good idea, since model is already used as the class attribute that you as the user override to configure the form class.
I mean the view class.
Dang. Too sleepy.
mar77i
yes, but overriding it wouldn't actually do anything. it just wouldn't be needed.
emihir0
again why do you not want to specify model at the view?
kezabelle
mar77i: but then you can't automatically generate a modelform, because to do so depends on the model, which depends on the form_class, which depends on the model