BaseForm needs to escape the 'class' attribute value

[dtrebbien]

In the _html_output method of class django.forms.forms.BaseForm, this line:

    html_class_attr = ' class="%s"' % css_classes

needs to be changed to:

    html_class_attr = ' class="%s"' % conditional_escape(css_classes)

This is because ​CSS identifiers can contain escape characters:

For instance, the identifier "B&W?" may be written as "B\&W\?" or "B\26 W\3F".

Note that the attached patch is against trunk.

[dtrebbien]

Patch

[dtrebbien]

Patch with regression test

[Mark Lavin]

conditional_escape is not appropriate for this issue and this test is not correct. Using the example from the CSS spec, conditional_escape would convert B&W to B&W not the correct B\&W . The test currently converts the class name \&required to \\&required which is not a valid class name.

To handle this there would need to be another escape function for handling css escaping rules. It seems as though it developers choose to use these characters in their css they can handle the escaping themselves. I don't see why this would need to be a part of Django.

[Karen Tracey]

Given the different rules for escaping css classes than regular html escaping, and the fact that css class names are generally going to be under the control of developers and not pulled from user-supplied input, I don't see that escaping css class names is something Django should be doing.