#2020 closed defect (fixed)
Choices are not escaped
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Choices are not escaped correctly.
Here's a patch:
Index: forms/__init__.py
===================================================================
--- forms/__init__.py (revision 2997)
+++ forms/__init__.py (working copy)
@@ -577,7 +577,7 @@
selected_html = ''
if str(value) in str_data_list:
selected_html = ' selected="selected"'
- output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+ output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
output.append(' </select>')
return '\n'.join(output)
Change History (3)
comment:1 by , 20 years ago
comment:3 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Sorry, should have done a "Preview" first.
Index: forms/__init__.py =================================================================== --- forms/__init__.py (revision 2997) +++ forms/__init__.py (working copy) @@ -577,7 +577,7 @@ selected_html = '' if str(value) in str_data_list: selected_html = ' selected="selected"' - output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice)) + output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice))) output.append(' </select>') return '\n'.join(output)