Fixed #16230 -- Correctly escape errors message passed to ErrorDict. Thanks, Gregor Müllegger.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16461 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/forms/util.py

@@ -27,7 +27,7 @@ class ErrorDict(dict, StrAndUnicode):
     def as_ul(self):
         if not self: return u''
         return mark_safe(u'<ul class="errorlist">%s</ul>'
-                % ''.join([u'<li>%s%s</li>' % (k, force_unicode(v))
+                % ''.join([u'<li>%s%s</li>' % (k, conditional_escape(force_unicode(v)))
                     for k, v in self.items()]))
 
     def as_text(self):

tests/regressiontests/forms/tests/util.py

@@ -55,3 +55,7 @@ class FormsUtilTestCase(TestCase):
                          '<ul class="errorlist"><li>Example of link: &lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;</li></ul>')
         self.assertEqual(str(ErrorList([mark_safe(example)])),
                          '<ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul>')
+        self.assertEqual(str(ErrorDict({'name': example})),
+                         '<ul class="errorlist"><li>nameExample of link: &lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;</li></ul>')
+        self.assertEqual(str(ErrorDict({'name': mark_safe(example)})),
+                         '<ul class="errorlist"><li>nameExample of link: <a href="http://www.example.com/">example</a></li></ul>')