Re: [Django] #2020: Choices are not escaped

Wed, 31 May 2006 07:53:52 -0700 

#2020: Choices are not escaped
----------------------------+-----------------------------------------------
 Reporter:  [EMAIL PROTECTED]  |        Owner:  adrian
     Type:  defect          |       Status:  new   
 Priority:  normal          |    Milestone:        
Component:  Core framework  |      Version:        
 Severity:  normal          |   Resolution:        
 Keywords:                  |  
----------------------------+-----------------------------------------------
Old description:

> Choices are not escaped correctly.
> 
> Here's a patch:
> 
> Index: forms/__init__.py
> ===================================================================
> --- forms/__init__.py   (revision 2997)
> +++ forms/__init__.py   (working copy)
> @@ -577,7 +577,7 @@
>              selected_html = ''
>              if str(value) in str_data_list:
>                  selected_html = ' selected="selected"'
> -            output.append('    <option value="%s"%s>%s</option>' %
> (escape(value), selected_html, choice))
> +            output.append('    <option value="%s"%s>%s</option>' %
> (escape(value), selected_html, escape(choice)))
>          output.append('  </select>')
>          return '\n'.join(output)

New description:

 Choices are not escaped correctly.
 
 Here's a patch:
 
 {{{
 Index: forms/__init__.py
 ===================================================================
 --- forms/__init__.py   (revision 2997)
 +++ forms/__init__.py   (working copy)
 @@ -577,7 +577,7 @@
              selected_html = ''
              if str(value) in str_data_list:
                  selected_html = ' selected="selected"'
 -            output.append('    <option value="%s"%s>%s</option>' %
 (escape(value), selected_html, choice))
 +            output.append('    <option value="%s"%s>%s</option>' %
 (escape(value), selected_html, escape(choice)))
          output.append('  </select>')
          return '\n'.join(output)
 }}}

Comment (by adrian):

 (Fixed formatting in description.)

-- 
Ticket URL: <http://code.djangoproject.com/ticket/2020>
Django <http://code.djangoproject.org/>
The web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---

Reply via email to