Errors on hidden input fields print out double escaped HTML

[Kyle Agronick]

Hidden input fields will print errors like "It\'s the thing &" as "(Hidden field test) It's the thing &". with HTML that is double escaped as

<ul class="errorlist nonfield">
    <li>(Hidden field test) It&amp;#39;s the thing &amp;amp;</li>
</ul>

Using this code:

views.py

class TestForm(forms.Form):
    test = forms.CharField(widget=forms.HiddenInput(), required=False)
    foo = forms.CharField()

class StoreGroupDelete(FormView):
    form_class = TestForm
    template_name = 'test/test_delete.html'

    def form_valid(self, form):
        form.add_error('test', 'It\'s the thing &')
        return self.form_invalid(form)

test.html

        <form method="post">
            {% csrf_token %}
            <ul>
            {{ form.as_ul }}
            </ul><input type="submit" />
        </form>

This only happens on hidden inputs. Regular fields work fine. This is on 1.11.7.

[Daniil Ryzhkov]

I was able to reproduce this behaviour and can confirm that this only happens for HiddenField. It works normally for CharField.

[Daniil Ryzhkov]

I've checked Django code and it seems to be a django bug.
This ​line in django.forms.forms breaks affect of mark_safe:

According to ​git blame, this issue should should be reproducible in every django release for last 5 years:
I was able to fix this. I will write tests to cover this issue and submit my changes as PR on github.

[Daniil Ryzhkov]

​PR

[Simon Charette]

Please don't mark your own patch as RFC.

[Tim Graham <timograham@…>]

In 7c7bc639:

Fixed #28874 -- Prevented double escaping of errors on hidden form fields.