Fixed #6160, #9111 -- Consistently apply conditional_escape to form errors and labels when outputing them as HTML.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9365 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/contrib/auth/tests/views.py

@@ -16,7 +16,7 @@ class PasswordResetTest(TestCase):
         response = self.client.get('/password_reset/')
         self.assertEquals(response.status_code, 200)
         response = self.client.post('/password_reset/', {'email': 'not_a_real_email@email.com'})
-        self.assertContains(response, "That e-mail address doesn't have an associated user account")
+        self.assertContains(response, "That e-mail address doesn't have an associated user account")
         self.assertEquals(len(mail.outbox), 0)
 
     def test_email_found(self):
@@ -87,7 +87,7 @@ class PasswordResetTest(TestCase):
         response = self.client.post(path, {'new_password1': 'anewpassword',
                                            'new_password2':' x'})
         self.assertEquals(response.status_code, 200)
-        self.assert_("The two password fields didn't match" in response.content)
+        self.assert_("The two password fields didn't match" in response.content)
 
 
 class ChangePasswordTest(TestCase):
@@ -147,7 +147,7 @@ class ChangePasswordTest(TestCase):
             }
         )
         self.assertEquals(response.status_code, 200)
-        self.assert_("The two password fields didn't match." in response.content)
+        self.assert_("The two password fields didn't match." in response.content)
 
     def test_password_change_succeeds(self):
         self.login()

django/forms/forms.py

@@ -5,7 +5,7 @@ Form classes
 from copy import deepcopy
 
 from django.utils.datastructures import SortedDict
-from django.utils.html import escape
+from django.utils.html import conditional_escape
 from django.utils.encoding import StrAndUnicode, smart_unicode, force_unicode
 from django.utils.safestring import mark_safe
 
@@ -140,7 +140,7 @@ class BaseForm(StrAndUnicode):
         output, hidden_fields = [], []
         for name, field in self.fields.items():
             bf = BoundField(self, field, name)
-            bf_errors = self.error_class([escape(error) for error in bf.errors]) # Escape and cache in local variable.
+            bf_errors = self.error_class([conditional_escape(error) for error in bf.errors]) # Escape and cache in local variable.
             if bf.is_hidden:
                 if bf_errors:
                     top_errors.extend([u'(Hidden field %s) %s' % (name, force_unicode(e)) for e in bf_errors])
@@ -149,7 +149,7 @@ class BaseForm(StrAndUnicode):
                 if errors_on_separate_row and bf_errors:
                     output.append(error_row % force_unicode(bf_errors))
                 if bf.label:
-                    label = escape(force_unicode(bf.label))
+                    label = conditional_escape(force_unicode(bf.label))
                     # Only add the suffix if the label does not end in
                     # punctuation.
                     if self.label_suffix:
@@ -395,7 +395,7 @@ class BoundField(StrAndUnicode):
 
         If attrs are given, they're used as HTML attributes on the <label> tag.
         """
-        contents = contents or escape(self.label)
+        contents = contents or conditional_escape(self.label)
         widget = self.field.widget
         id_ = widget.attrs.get('id') or self.auto_id
         if id_:

django/forms/util.py

@@ -39,7 +39,7 @@ class ErrorList(list, StrAndUnicode):
     def as_ul(self):
         if not self: return u''
         return mark_safe(u'<ul class="errorlist">%s</ul>'
-                % ''.join([u'<li>%s</li>' % force_unicode(e) for e in self]))
+                % ''.join([u'<li>%s</li>' % conditional_escape(force_unicode(e)) for e in self]))
 
     def as_text(self):
         if not self: return u''