id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24469	Revisit strategy of escaping Django's form elements in non-Django forms	Moritz Sichert	Aymeric Augustin	"Django uses `django.utils.safestring` for marking strings as escaped. This prevents already escaped text to be escaped again.
It also uses the `__html__` magic method used by many other web frameworks.

However the information about a string being safe won't be carried on if an object gets converted to a string.
This mostly happens with forms, form fields an the `Media` class.
The django template backend ""knows"" about them so it doesn't escape them, however that's not the case with any other backend.

For example
{{{
  {{ my_form.my_field }}}
}}}
will be rendered as
{{{
  <input name=&34;my_field&34; type=&34;text&34; />
}}}
when using jinja2 backend.

In my opinion the best way to fix this is to add `__html__` methods to the classes that should not be escaped."	Cleanup/optimization	closed	Template system	1.8beta2	Normal	fixed	forms fields media escape template jinja2	Moritz Sichert	Ready for checkin	1	0	0	0	0	0