id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4991	Emphasize XSS ramifications of help_text not being escaped	anonymous	Adrian Holovaty	"Help text in models is not escaped in admin.
<code>
class Post(models.Model) : 
    title = models.CharField(maxlength=1000,null=True,blank=True,
      help_text='<obvious>This is the title</obvious>')
</code>
The admin interface will not show it (and using non-closed <blink> could be fun)
I guess this is a bug or it should be documented in models that help_text must be html. 
I would propose no html in models.py, (so escaping help_text and no formatting in help text).
Maybe ReST would be the best of both worlds.

"	Cleanup/optimization	closed	Documentation	dev	Normal	fixed	help_text escape		Ready for checkin	1	0	0	0	0	0