#2020: Choices are not escaped
----------------------------+-----------------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: adrian
Type: defect | Status: new
Priority: normal | Milestone:
Component: Core framework | Version:
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by anonymous):
Sorry, should have done a "Preview" first.
{{{
Index: forms/__init__.py
===================================================================
--- forms/__init__.py (revision 2997)
+++ forms/__init__.py (working copy)
@@ -577,7 +577,7 @@
selected_html = ''
if str(value) in str_data_list:
selected_html = ' selected="selected"'
- output.append(' <option value="%s"%s>%s</option>' %
(escape(value), selected_html, choice))
+ output.append(' <option value="%s"%s>%s</option>' %
(escape(value), selected_html, escape(choice)))
output.append(' </select>')
return '\n'.join(output)
}}}
--
Ticket URL: <http://code.djangoproject.com/ticket/2020>
Django <http://code.djangoproject.org/>
The web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---
