Choices are not escaped

Sorry, should have done a "Preview" first.

Index: forms/__init__.py
===================================================================
--- forms/__init__.py   (revision 2997)
+++ forms/__init__.py   (working copy)
@@ -577,7 +577,7 @@
             selected_html = ''
             if str(value) in str_data_list:
                 selected_html = ' selected="selected"'
-            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
         output.append('  </select>')
         return '\n'.join(output)

(Fixed formatting in description.)

(In [3021]) Fixed #2020 -- <option> values are now escaped in SelectMultipleField?