=== modified file 'django/contrib/auth/tests/forms.py' --- django/contrib/auth/tests/forms.py 2008-07-31 21:19:05 +0000 +++ django/contrib/auth/tests/forms.py 2008-07-31 21:25:12 +0000 @@ -42,7 +42,7 @@ >>> form.is_valid() False >>> form["password2"].errors -[u"The two password fields didn't match."] +[u'The two password fields didn't match.'] The success case. @@ -107,7 +107,7 @@ >>> form.is_valid() False >>> form["new_password2"].errors -[u"The two password fields didn't match."] +[u'The two password fields didn't match.'] The success case. @@ -145,7 +145,7 @@ >>> form.is_valid() False >>> form["new_password2"].errors -[u"The two password fields didn't match."] +[u'The two password fields didn't match.'] The success case. === modified file 'django/contrib/auth/tests/views.py' --- django/contrib/auth/tests/views.py 2008-07-31 21:19:05 +0000 +++ django/contrib/auth/tests/views.py 2008-07-31 21:26:04 +0000 @@ -13,7 +13,7 @@ response = self.client.get('/password_reset/') self.assertEquals(response.status_code, 200) response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'}) - self.assertContains(response, "That e-mail address doesn't have an associated user account") + self.assertContains(response, "That e-mail address doesn't have an associated user account") self.assertEquals(len(mail.outbox), 0) def test_email_found(self): @@ -84,5 +84,5 @@ response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2':' x'}) self.assertEquals(response.status_code, 200) - self.assert_("The two password fields didn't match" in response.content) + self.assert_("The two password fields didn't match" in response.content) === modified file 'django/forms/forms.py' --- django/forms/forms.py 2008-07-20 00:01:26 +0000 +++ django/forms/forms.py 2008-07-20 21:40:40 +0000 @@ -5,7 +5,7 @@ from copy import deepcopy from django.utils.datastructures import SortedDict -from django.utils.html import escape +from django.utils.html import escape, conditional_escape from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode from django.utils.safestring import mark_safe @@ -134,7 +134,7 @@ output, hidden_fields = [], [] for name, field in self.fields.items(): bf = BoundField(self, field, name) - bf_errors = self.error_class([escape(error) for error in bf.errors]) # Escape and cache in local variable. + bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) # Escape and cache in local variable. if bf.is_hidden: if bf_errors: top_errors.extend([u'(Hidden field %s) %s' % (name, force_unicode(e)) for e in bf_errors]) === modified file 'django/forms/util.py' --- django/forms/util.py 2008-07-24 12:03:58 +0000 +++ django/forms/util.py 2008-07-24 12:05:21 +0000 @@ -1,4 +1,4 @@ -from django.utils.html import escape +from django.utils.html import conditional_escape from django.utils.encoding import smart_unicode, StrAndUnicode, force_unicode from django.utils.safestring import mark_safe @@ -9,7 +9,7 @@ XML-style pairs. It is assumed that the keys do not need to be XML-escaped. If the passed dictionary is empty, then return an empty string. """ - return u''.join([u' %s="%s"' % (k, escape(v)) for k, v in attrs.items()]) + return mark_safe(u''.join([u' %s="%s"' % (k, conditional_escape(v)) for k, v in attrs.items()])) class ErrorDict(dict, StrAndUnicode): """ @@ -55,9 +55,9 @@ a string) or a list of objects. """ if isinstance(message, list): - self.messages = ErrorList([smart_unicode(msg) for msg in message]) + self.messages = ErrorList([conditional_escape(smart_unicode(msg)) for msg in message]) else: - message = smart_unicode(message) + message = conditional_escape(smart_unicode(message)) self.messages = ErrorList([message]) def __str__(self): === modified file 'tests/regressiontests/forms/localflavor/ch.py' --- tests/regressiontests/forms/localflavor/ch.py 2007-11-13 02:22:36 +0000 +++ tests/regressiontests/forms/localflavor/ch.py 2008-07-20 21:40:40 +0000 @@ -41,13 +41,13 @@ >>> f.clean('C1234567<1') Traceback (most recent call last): ... -ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.'] +ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.'] >>> f.clean('2123456700') u'2123456700' >>> f.clean('2123456701') Traceback (most recent call last): ... -ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.'] +ValidationError: [u'Enter a valid Swiss identity or passport card number in X1234567<0 or 1234567890 format.'] # CHStateSelect ############################################################# === modified file 'tests/regressiontests/forms/util.py' --- tests/regressiontests/forms/util.py 2008-07-20 00:01:26 +0000 +++ tests/regressiontests/forms/util.py 2008-07-20 21:40:40 +0000 @@ -7,6 +7,11 @@ >>> from django.forms.util import * >>> from django.utils.translation import ugettext_lazy +# Escaping. +>>> from django.utils.html import escape +>>> from django.utils.html import conditional_escape +>>> script = "$('#example').html('example');" + ########### # flatatt # ########### @@ -19,6 +24,22 @@ >>> flatatt({}) u'' +# Escaping. + +>>> flatatt({'onclick': script}) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' +>>> flatatt({'onclick': escape(script)}) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' +>>> flatatt({'onclick': conditional_escape(script)}) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' + +>>> conditional_escape(flatatt({'onclick': script})) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' +>>> conditional_escape(flatatt({'onclick': escape(script)})) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' +>>> conditional_escape(flatatt({'onclick': conditional_escape(script)})) +u' onclick="$('#example').html('<a href="http://www.example.com/">example</a>');"' + ################### # ValidationError # ################### @@ -49,4 +70,33 @@ # Can take a non-string. >>> print ValidationError(VeryBadError()).messages