id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 6283,NewForms labels are not conditionally escaped,Paul Hummer,Paul Hummer,"Consider the following code: {{{ required = '*'required = '*' class FooForm(forms.Form): email = forms.EmailField(label='%sEmail Address' % required) username = forms.CharField(label='%sUsername' % required) password = forms.CharField(label='%sPassword' % required, widget=forms.PasswordInput) password2 = forms.CharField(label='%sPassword (Again)' % required, widget=forms.PasswordInput) firstname = forms.CharField(label='First Name') lastname = forms.CharField(label='Last Name') }}} The labels are currently being escaped. Considering that the labels are usually developer/designer created instead of user created, it's probably safe to assume that most times, they are safe from XSS attacks.",New feature,closed,Forms,dev,Normal,fixed,html escape easy-pickings,Paul Hummer,Accepted,1,0,1,0,1,0