Ticket #16684: 16684.diff

tests/regressiontests/forms/tests/regressions.py

@@ -18 +18 @@
 
         self.assertEqual(TestForm(auto_id=False).as_p(), u'<p>F1: <input type="text" class="special" name="f1" maxlength="10" /></p>\n<p>F2: <input type="text" class="special" name="f2" /></p>')
 
+    def test_regression_16684(self):
+        """
+        Test for bug #16684 - make sure to escape CSS class identifiers
+        """
+        class TestForm(Form):
+            required_css_class = r'\&required'
+
+            text = CharField()
+
+        form = TestForm({ 'text': 'test' })
+        self.assertEqual(unicode(form.as_table()), u'<tr class="\\&amp;required"><th><label for="id_text">Text:</label></th><td><input type="text" name="text" value="test" id="id_text" /></td></tr>')
+
     def test_regression_3600(self):
         # Tests for form i18n #
         # There were some problems with form translations in #3600

django/forms/forms.py

@@ -153 +153 @@
                 # CSS classes applied.
                 css_classes = bf.css_classes()
                 if css_classes:
-                    html_class_attr = ' class="%s"' % css_classes
+                    html_class_attr = ' class="%s"' % conditional_escape(css_classes)
 
                 if errors_on_separate_row and bf_errors:
                     output.append(error_row % force_unicode(bf_errors))