id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
6283	NewForms labels are not conditionally escaped	Paul Hummer	Paul Hummer	"Consider the following code:

{{{
required = '<span class=""required"">*</span>'required = '<span class=""required"">*</span>'
class FooForm(forms.Form):
    email = forms.EmailField(label='%sEmail Address' % required)
    username = forms.CharField(label='%sUsername' % required)
    password = forms.CharField(label='%sPassword' % required, widget=forms.PasswordInput)
    password2 = forms.CharField(label='%sPassword (Again)' % required,
      widget=forms.PasswordInput)
    firstname = forms.CharField(label='First Name')
    lastname = forms.CharField(label='Last Name')
}}}
The labels are currently being escaped.  Considering that the labels are usually developer/designer created instead of user created, it's probably safe to assume that most times, they are safe from XSS attacks."	New feature	closed	Forms	dev	Normal	fixed	html escape easy-pickings	Paul Hummer	Accepted	1	0	1	0	1	0