Opened 18 years ago
Last modified 17 years ago
#2020 closed defect
Choices are not escaped — at Initial Version
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Choices are not escaped correctly.
Here's a patch:
Index: forms/init.py
===================================================================
--- forms/init.py (revision 2997)
+++ forms/init.py (working copy)
@@ -577,7 +577,7 @@
selected_html =
if str(value) in str_data_list:
selected_html = ' selected="selected"'
- output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, choice))
+ output.append(' <option value="%s"%s>%s</option>' % (escape(value), selected_html, escape(choice)))
output.append(' </select>')
return '\n'.join(output)
Note:
See TracTickets
for help on using tickets.