Fixed django-commons#1682 -- alert user when using file field without proper encoding

Author: bkdekoning

debug_toolbar/panels/templates/panel.py

@@ -1,4 +1,5 @@
 from contextlib import contextmanager
+from html.parser import HTMLParser
 from os.path import normpath
 from pprint import pformat, saferepr
 
@@ -58,6 +59,31 @@ def _request_context_bind_template(self, template):
 RequestContext.bind_template = _request_context_bind_template
 
 
+class FormParser(HTMLParser):
+    """
+    HTML form parser, used to check for invalid configurations
+    """
+
+    def __init__(self):
+        super().__init__()
+        self.in_form = False
+        self.current_form = {}
+        self.forms = []
+
+    def handle_starttag(self, tag, attrs):
+        attrs = dict(attrs)
+        if tag == "form":
+            self.in_form = True
+            self.current_form = {"attrs": attrs, "file_inputs": []}
+        elif self.in_form and tag == "input" and attrs.get("type") == "file":
+            self.current_form["file_inputs"].append(attrs)
+
+    def handle_endtag(self, tag):
+        if tag == "form" and self.in_form:
+            self.forms.append(self.current_form)
+            self.in_form = False
+
+
 class TemplatesPanel(Panel):
     """
     A panel that lists all templates used during processing of a response.
@@ -177,6 +203,25 @@ def process_context_list(self, context_layers):
 
         return context_list
 
+    def check_invalid_file_form_configuration(self, html_content):
+        parser = FormParser()
+        parser.feed(html_content)
+
+        invalid_forms = []
+        for form in parser.forms:
+            if (
+                form["file_inputs"]
+                and form["attrs"].get("enctype") != "multipart/form-data"
+            ):
+                form_id = form["attrs"].get("id", "no form id")
+                error_message = (
+                    f'Form with id "{form_id}" contains file input but '
+                    f'missing enctype="multipart/form-data".'
+                )
+                invalid_forms.append({"form": form, "error_message": error_message})
+
+        return invalid_forms
+
     def generate_stats(self, request, response):
         template_context = []
         for template_data in self.templates:
@@ -211,10 +256,18 @@ def generate_stats(self, request, response):
             context_processors = None
             template_dirs = []
 
+        html_content = response.content.decode(response.charset)
+        invalid_file_form_configs = self.check_invalid_file_form_configuration(
+            html_content
+        )
+
         self.record_stats(
             {
                 "templates": template_context,
                 "template_dirs": [normpath(x) for x in template_dirs],
                 "context_processors": context_processors,
+                "invalid_file_form_configs": [
+                    issue["error_message"] for issue in invalid_file_form_configs
+                ],
             }
         )

debug_toolbar/templates/debug_toolbar/panels/templates.html

@@ -1,48 +1,58 @@
 {% load i18n %}
 <h4>{% blocktrans count template_dirs|length as template_count %}Template path{% plural %}Template paths{% endblocktrans %}</h4>
 {% if template_dirs %}
-  <ol>
-    {% for template in template_dirs %}
-      <li>{{ template }}</li>
-    {% endfor %}
-  </ol>
+<ol>
+  {% for template in template_dirs %}
+  <li>{{ template }}</li>
+  {% endfor %}
+</ol>
 {% else %}
-  <p>{% trans "None" %}</p>
+<p>{% trans "None" %}</p>
 {% endif %}
 
 <h4>{% blocktrans count templates|length as template_count %}Template{% plural %}Templates{% endblocktrans %}</h4>
 {% if templates %}
-  <dl>
-    {% for template in templates %}
-      <dt><strong><a class="remoteCall toggleTemplate" href="{% url 'djdt:template_source' %}?template={{ template.template.name }}&amp;template_origin={{ template.template.origin_hash }}">{{ template.template.name|addslashes }}</a></strong></dt>
-      <dd><samp>{{ template.template.origin_name|addslashes }}</samp></dd>
-      {% if template.context %}
-        <dd>
-          <details>
-            <summary>{% trans "Toggle context" %}</summary>
-            <code class="djTemplateContext">{{ template.context }}</code>
-          </details>
-        </dd>
-      {% endif %}
-    {% endfor %}
-  </dl>
+<dl>
+  {% for template in templates %}
+  <dt><strong><a class="remoteCall toggleTemplate" href="{% url 'djdt:template_source' %}?template={{ template.template.name }}&amp;template_origin={{ template.template.origin_hash }}">{{ template.template.name|addslashes }}</a></strong></dt>
+  <dd><samp>{{ template.template.origin_name|addslashes }}</samp></dd>
+  {% if template.context %}
+  <dd>
+    <details>
+      <summary>{% trans "Toggle context" %}</summary>
+      <code class="djTemplateContext">{{ template.context }}</code>
+    </details>
+  </dd>
+  {% endif %}
+  {% endfor %}
+</dl>
 {% else %}
-  <p>{% trans "None" %}</p>
+<p>{% trans "None" %}</p>
 {% endif %}
 
 <h4>{% blocktrans count context_processors|length as context_processors_count %}Context processor{% plural %}Context processors{% endblocktrans %}</h4>
 {% if context_processors %}
-  <dl>
-    {% for key, value in context_processors.items %}
-      <dt><strong>{{ key|escape }}</strong></dt>
-      <dd>
-        <details>
-          <summary>{% trans "Toggle context" %}</summary>
-          <code class="djTemplateContext">{{ value|escape }}</code>
-        </details>
-      </dd>
-    {% endfor %}
-  </dl>
+<dl>
+  {% for key, value in context_processors.items %}
+  <dt><strong>{{ key|escape }}</strong></dt>
+  <dd>
+    <details>
+      <summary>{% trans "Toggle context" %}</summary>
+      <code class="djTemplateContext">{{ value|escape }}</code>
+    </details>
+  </dd>
+  {% endfor %}
+</dl>
+{% else %}
+<p>{% trans "None" %}</p>
+{% endif %}
+
+{% if invalid_file_form_configs %}
+<h4>{% blocktrans count invalid_file_form_configs|length as invalid_file_form_configs_count %}Invalid file form configuration{% plural %}Invalid file form configurations{% endblocktrans %}</h4>
+<dl>
+  {% for invalid_file_form_config in invalid_file_form_configs %}
+  <dt>{{ invalid_file_form_config | escape }}</dt>
+  {% endfor %}
+</dl>
 {% else %}
-  <p>{% trans "None" %}</p>
 {% endif %}

tests/panels/test_template.py

@@ -68,6 +68,28 @@ def test_object_with_non_ascii_repr_in_context(self):
         self.panel.generate_stats(self.request, response)
         self.assertIn("nôt åscíì", self.panel.content)
 
+    def test_file_form_without_enctype_multipart_form_data(self):
+        """
+        Test that the panel displays a form invalid message when there is
+        a file input but encoding not set to multipart/form-data.
+        """
+        test_form = '<form id="test-form"><input type="file"></form>'
+        result = self.panel.check_invalid_file_form_configuration(test_form)
+
+        expected_error = (
+            'Form with id "test-form" contains file input '
+            'but missing enctype="multipart/form-data".'
+        )
+        self.assertEqual(result[0]["error_message"], expected_error)
+
+    def test_file_form_with_enctype_multipart_form_data(self):
+        test_form = """<form id="test-form" enctype="multipart/form-data">
+        <input type="file">
+        </form>"""
+        result = self.panel.check_invalid_file_form_configuration(test_form)
+
+        self.assertEqual(len(result), 0)
+
     def test_insert_content(self):
         """
         Test that the panel only inserts content after generate_stats and