Fixed #3078 -- newforms: Added HTML escaping to label_tag() calls. Thanks, SmileyChris

git-svn-id: http://code.djangoproject.com/svn/django/trunk@4133 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2006-11-29 03:14:03 +00:00
parent 8aae90c0e5
commit 4db61fb406
1 changed files with 2 additions and 2 deletions

View File

@ -82,7 +82,7 @@ class Form(object):
bf = BoundField(self, field, name) bf = BoundField(self, field, name)
if bf.errors: if bf.errors:
output.append(u'<tr><td colspan="2">%s</td></tr>' % bf.errors) output.append(u'<tr><td colspan="2">%s</td></tr>' % bf.errors)
output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(bf.verbose_name+':'), bf)) output.append(u'<tr><td>%s</td><td>%s</td></tr>' % (bf.label_tag(escape(bf.verbose_name+':')), bf))
return u'\n'.join(output) return u'\n'.join(output)
def as_ul(self): def as_ul(self):
@ -96,7 +96,7 @@ class Form(object):
line = u'<li>' line = u'<li>'
if bf.errors: if bf.errors:
line += str(bf.errors) line += str(bf.errors)
line += u'%s %s</li>' % (bf.label_tag(bf.verbose_name+':'), bf) line += u'%s %s</li>' % (bf.label_tag(escape(bf.verbose_name+':')), bf)
output.append(line) output.append(line)
return u'\n'.join(output) return u'\n'.join(output)