Index: django/forms/widgets.py
===================================================================
--- django/forms/widgets.py (revision 15442)
+++ django/forms/widgets.py (working copy)
@@ -332,7 +332,9 @@
substitutions['initial'] = (u'%s'
% (value.url, value))
if not self.is_required:
- checkbox_name = self.clear_checkbox_name(name)
+ # Since the checkbox label bypasses the usual widget
+ # attribute machinery, make sure it's escaped.
+ checkbox_name = self.clear_checkbox_name(conditional_escape(name))
checkbox_id = self.clear_checkbox_id(checkbox_name)
substitutions['clear_checkbox_name'] = checkbox_name
substitutions['clear_checkbox_id'] = checkbox_id
Index: tests/regressiontests/forms/tests/widgets.py
===================================================================
--- tests/regressiontests/forms/tests/widgets.py (revision 15442)
+++ tests/regressiontests/forms/tests/widgets.py (working copy)
@@ -1086,6 +1086,13 @@
self.assertEqual(widget.render('myfile', FakeFieldFile()),
u'Currently: something
Change: ')
+ def test_clear_input_label_escaped(self):
+ widget = ClearableFileInput()
+ widget.is_required = False
+ xss_string = '''myfile">
a_nasty_attack.jpg"', FakeFieldFile())
+ self.assertTrue(xss_string not in output)
+
def test_clear_input_renders_only_if_not_required(self):
"""
A ClearableFileInput with is_required=False does not render a clear