diff --git a/tests/regressiontests/forms/regressions.py b/tests/regressiontests/forms/regressions.py index 51aa41d2fb..9471932057 100644 --- a/tests/regressiontests/forms/regressions.py +++ b/tests/regressiontests/forms/regressions.py @@ -102,4 +102,34 @@ u'>> f.as_table() u'' +################################################### +# Tests for XSS vulnerabilities in error messages # +################################################### + +# The forms layer doesn't escape input values directly because error messages +# might be presented in non-HTML contexts. Instead, the message is just marked +# for escaping by the template engine. So we'll need to construct a little +# silly template to trigger the escaping. + +>>> from django.template import Template, Context +>>> t = Template('{{ form.errors }}') + +>>> class SomeForm(Form): +... field = ChoiceField(choices=[('one', 'One')]) +>>> f = SomeForm({'field': '