Validation errors should be escaped for html
|Reported by:||Owned by:||Adrian Holovaty|
|Severity:||Keywords:||form validation escape|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
I think validation error messages should be escaped when the form outputs html.
For example, in a custom clean method you might raise a ValidationError which includes the value the user input:
def clean_username(self): raise ValidationError(u"Sorry, username '%s' is not allowed" % self.clean_data['username'])
Whatever the user enters would currently be output unescaped in the validation error message. You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.
Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python.