Fixed #3078 -- newforms: Added HTML escaping to label_tag() calls. Thanks, SmileyChris

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4133 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-11-29 03:14:03 +00:00 · 2006-11-29 03:14:03 +00:00 · 4db61fb406
parent 8aae90c0e5
commit 4db61fb406
1 changed files with 2 additions and 2 deletions
--- a/django/newforms/forms.py
+++ b/django/newforms/forms.py
@ -82,7 +82,7 @@ class Form(object):
            bf = BoundField(self, field, name)
            if bf.errors:
                output.append(u'<tr><td colspan="2">%s</td></tr>' % bf.errors)
-            output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(bf.verbose_name+':'), bf))
+            output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(escape(bf.verbose_name+':')), bf))
        return u'\n'.join(output)

    def as_ul(self):
@ -96,7 +96,7 @@ class Form(object):
            line = u'<li>'
            if bf.errors:
                line += str(bf.errors)
-            line += u'%s %s</li>' % (bf.label_tag(bf.verbose_name+':'), bf)
+            line += u'%s %s</li>' % (bf.label_tag(escape(bf.verbose_name+':')), bf)
            output.append(line)
        return u'\n'.join(output)