From 7c7bc6391a3e83566f9ace59955e63503bc76cee Mon Sep 17 00:00:00 2001 From: Daniil Date: Mon, 11 Dec 2017 22:30:47 +1000 Subject: [PATCH] Fixed #28874 -- Prevented double escaping of errors on hidden form fields. --- django/forms/forms.py | 3 +-- tests/forms_tests/tests/test_forms.py | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/django/forms/forms.py b/django/forms/forms.py index a43f80996bc..d8a05e35839 100644 --- a/django/forms/forms.py +++ b/django/forms/forms.py @@ -199,8 +199,7 @@ class BaseForm: for name, field in self.fields.items(): html_class_attr = '' bf = self[name] - # Escape and cache in local variable. - bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) + bf_errors = self.error_class(bf.errors) if bf.is_hidden: if bf_errors: top_errors.extend( diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py index 3f4fb4e10b6..a6b157f044b 100644 --- a/tests/forms_tests/tests/test_forms.py +++ b/tests/forms_tests/tests/test_forms.py @@ -3398,6 +3398,27 @@ Good luck picking a username that doesn't already exist.

This field is required.

Comment:

""") + def test_error_escaping(self): + class TestForm(Form): + hidden = CharField(widget=HiddenInput(), required=False) + visible = CharField() + + def clean_hidden(self): + raise ValidationError('Foo & "bar"!') + + clean_visible = clean_hidden + + form = TestForm({'hidden': 'a', 'visible': 'b'}) + form.is_valid() + self.assertHTMLEqual( + form.as_ul(), + '
    • ' + '
  • ' + ' ' + '' + '
    • ' + ) + def test_baseform_repr(self): """ BaseForm.__repr__() should contain some basic information about the