Fixed #2020 -- <option> values are now escaped in SelectMultipleField

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3021 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-31 14:58:20 +00:00 · 2006-05-31 14:58:20 +00:00 · 7098389fae
parent 8623bd126d
commit 7098389fae
1 changed files with 1 additions and 1 deletions
--- a/django/forms/init.py
+++ b/django/forms/init.py
@ -577,7 +577,7 @@ class SelectMultipleField(SelectField):
            selected_html = ''
            if str(value) in str_data_list:
                selected_html = ' selected="selected"'
-            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
        output.append('  </select>')
        return '\n'.join(output)