Fixed #2020 -- <option> values are now escaped in SelectMultipleField

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2006-05-31 14:58:20 +00:00
parent 8623bd126d
commit 7098389fae
1 changed files with 1 additions and 1 deletions

View File

@ -577,7 +577,7 @@ class SelectMultipleField(SelectField):
selected_html = ''
if str(value) in str_data_list:
selected_html = ' selected="selected"'
output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
output.append(' </select>')
return '\n'.join(output)