From b8fa80bd0020eee186e5288e3fd2552695093025 Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Mon, 19 Feb 2007 23:54:55 +0000 Subject: [PATCH] Fixed #3510 -- newforms validation errors are now HTML-escaped for HTML output. Thanks, scott@staplefish.com git-svn-id: http://code.djangoproject.com/svn/django/trunk@4544 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/newforms/forms.py | 2 +- tests/regressiontests/forms/tests.py | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/django/newforms/forms.py b/django/newforms/forms.py index e9cf4ca11c..2b3aa97428 100644 --- a/django/newforms/forms.py +++ b/django/newforms/forms.py @@ -113,7 +113,7 @@ class BaseForm(StrAndUnicode): output, hidden_fields = [], [] for name, field in self.fields.items(): bf = BoundField(self, field, name) - bf_errors = bf.errors # Cache in local variable. + bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable. if bf.is_hidden: if bf_errors: top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors]) diff --git a/tests/regressiontests/forms/tests.py b/tests/regressiontests/forms/tests.py index 2e34111b3e..34f1907c5e 100644 --- a/tests/regressiontests/forms/tests.py +++ b/tests/regressiontests/forms/tests.py @@ -2217,6 +2217,19 @@ returns a list of input. >>> f.clean_data {'composers': [u'J', u'P'], 'name': u'Yesterday'} +Validation errors are HTML-escaped when output as HTML. +>>> class EscapingForm(Form): +... special_name = CharField() +... def clean_special_name(self): +... raise ValidationError("Something's wrong with '%s'" % self.clean_data['special_name']) + +>>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False) +>>> print f +Special name: +>>> f = EscapingForm({'special_name': "Should escape < & > and "}, auto_id=False) +>>> print f +Special name: + # Validating multiple fields in relation to another ########################### There are a couple of ways to do multiple-field validation. If you want the