id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3510	Validation errors should be escaped for html	scott@…	Adrian Holovaty	"I think validation error messages should be escaped when the form outputs html.

For example, in a custom clean method you might raise a ValidationError which includes the value the user input:

{{{
#!python
def clean_username(self):
    raise ValidationError(u""Sorry, username '%s' is not allowed"" % self.clean_data['username'])
}}}

Whatever the user enters would currently be output unescaped in the validation error message.  You could argue the input values should be escaped when building the custom ValidationError, but I think it's just a string at that point and escaping should be done when the html is generated - in this case in Form._html_output.

Patch is attached, though I'm not sure if I did the right thing with ErrorList - I'm new to Python."		closed	Forms	dev		fixed	form validation escape		Ready for checkin	1	0	0	0	0	0