Ticket #3510: escape-validation-errors.diff

django/newforms/forms.py

@@ -113 +113 @@
         output, hidden_fields = [], []
         for name, field in self.fields.items():
             bf = BoundField(self, field, name)
-            bf_errors = bf.errors # Cache in local variable.
+            bf_errors = ErrorList([escape(error) for error in bf.errors]) # Escape and cache in local variable.
             if bf.is_hidden:
                 if bf_errors:
                     top_errors.extend(['(Hidden field %s) %s' % (name, e) for e in bf_errors])

tests/regressiontests/forms/tests.py

@@ -2217 +2217 @@
 >>> f.clean_data
 {'composers': [u'J', u'P'], 'name': u'Yesterday'}
 
+Validation errors are escaped when output to html
+>>> class EscapingForm(Form):
+...     special_name = CharField()
+...     def clean_special_name(self):
+...         special_name = self.clean_data['special_name']
+...         raise ValidationError("Something wrong with '%s'" % special_name)
+ 
+>>> f = EscapingForm({'special_name': "Nothing to escape"})
+>>> print f
+<tr><th><label for="id_special_name">Special name:</label></th><td><ul class="errorlist"><li>Something wrong with &#39;Nothing to escape&#39;</li></ul><input type="text" name="special_name" value="Nothing to escape" id="id_special_name" /></td></tr>
+>>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"})
+>>> print f
+<tr><th><label for="id_special_name">Special name:</label></th><td><ul class="errorlist"><li>Something wrong with &#39;Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;&#39;</li></ul><input type="text" name="special_name" value="Should escape &lt; &amp; &gt; and &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" id="id_special_name" /></td></tr>
+
 # Validating multiple fields in relation to another ###########################
 
 There are a couple of ways to do multiple-field validation. If you want the