id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28902	password_validators_help_text_html isn't marked as safe correctly	Ole Laursen	Alvin Lindstam	"Last lines say

{{{
    help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
    return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
}}}

So in the last line it's throwing away the safe text information put in by format_html in the previous line.

The result is that if you output the help_text of django.contrib.auth.forms.PasswordChangeForm in a template, the HTML bullets are escaped (user sees HTML code instead of bullets). For some reason, I don't see this problem within the admin site, which is actually a bit worrying.

This seems to work instead:

{{{
    formatted_help_items = format_html_join("""", '<li>{}</li>', ((help_text,) for help_text in help_texts))
    return format_html(""<ul>{}</ul>"", formatted_help_items) if formatted_help_items else """"
}}}"	Bug	closed	contrib.auth	2.0	Normal	fixed			Accepted	1	0	0	0	1	0