id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
16684	BaseForm needs to escape the 'class' attribute value	dtrebbien	nobody	"In the `_html_output` method of class `django.forms.forms.BaseForm`, this line:

{{{#!python
    html_class_attr = ' class=""%s""' % css_classes
}}}

needs to be changed to:

{{{#!python
    html_class_attr = ' class=""%s""' % conditional_escape(css_classes)
}}}

This is because [http://www.w3.org/TR/CSS21/syndata.html#characters CSS identifiers can contain escape characters]:

> For instance, the identifier ""B&W?"" may be written as ""B\&W\?"" or ""B\26 W\3F"".


\\Note that the attached patch is against trunk."	Bug	closed	Forms	1.3	Normal	wontfix		dtrebbien@…	Accepted	1	0	1	0	0	0