id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux
6283,NewForms labels are not conditionally escaped,Paul Hummer,Paul Hummer,"Consider the following code:
{{{
required = '*'required = '*'
class FooForm(forms.Form):
email = forms.EmailField(label='%sEmail Address' % required)
username = forms.CharField(label='%sUsername' % required)
password = forms.CharField(label='%sPassword' % required, widget=forms.PasswordInput)
password2 = forms.CharField(label='%sPassword (Again)' % required,
widget=forms.PasswordInput)
firstname = forms.CharField(label='First Name')
lastname = forms.CharField(label='Last Name')
}}}
The labels are currently being escaped. Considering that the labels are usually developer/designer created instead of user created, it's probably safe to assume that most times, they are safe from XSS attacks.",New feature,closed,Forms,dev,Normal,fixed,html escape easy-pickings,Paul Hummer,Accepted,1,0,1,0,1,0