Code

Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#2020 closed defect (fixed)

Choices are not escaped

Reported by: tom@… Owned by: adrian
Component: Core (Other) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by adrian)

Choices are not escaped correctly.

Here's a patch:

Index: forms/__init__.py
===================================================================
--- forms/__init__.py   (revision 2997)
+++ forms/__init__.py   (working copy)
@@ -577,7 +577,7 @@
             selected_html = ''
             if str(value) in str_data_list:
                 selected_html = ' selected="selected"'
-            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
         output.append('  </select>')
         return '\n'.join(output)

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by anonymous

Sorry, should have done a "Preview" first.

Index: forms/__init__.py
===================================================================
--- forms/__init__.py   (revision 2997)
+++ forms/__init__.py   (working copy)
@@ -577,7 +577,7 @@
             selected_html = ''
             if str(value) in str_data_list:
                 selected_html = ' selected="selected"'
-            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+            output.append('    <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
         output.append('  </select>')
         return '\n'.join(output)

comment:2 Changed 8 years ago by adrian

  • Description modified (diff)

(Fixed formatting in description.)

comment:3 Changed 8 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [3021]) Fixed #2020 -- <option> values are now escaped in SelectMultipleField

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.