# HG changeset patch
# User Rémi Cardona <remi.cardona@logilab.fr>
# Date 1444984594 -7200
# Node ID ddeac3ecdd88237360c9cdbdcb4a6d40a47f0e24
# Parent  d666c9386b5852297d951576bc27da29f105a54f
[web] xml_escape CheckBox and Radio labels (closes #7672764)

diff -r d666c9386b58 -r ddeac3ecdd88 web/formwidgets.py
--- a/web/formwidgets.py	Fri Nov 20 14:17:46 2015 +0100
+++ b/web/formwidgets.py	Fri Oct 16 10:36:34 2015 +0200
@@ -618,7 +618,7 @@
                 iattrs['checked'] = u'checked'
             tag = tags.input(name=field.input_name(form, self.suffix),
                              type=self.type, value=value, **iattrs)
-            options.append(u'%s&#160;%s' % (tag, label))
+            options.append(u'%s&#160;%s' % (tag, xml_escape(label)))
         return sep.join(options)
 
 
diff -r d666c9386b58 -r ddeac3ecdd88 web/test/unittest_formwidgets.py
--- a/web/test/unittest_formwidgets.py	Fri Nov 20 14:17:46 2015 +0100
+++ b/web/test/unittest_formwidgets.py	Fri Oct 16 10:36:34 2015 +0200
@@ -17,27 +17,15 @@
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
 """unittests for cw.web.formwidgets"""
 
-from logilab.common.testlib import TestCase, unittest_main, mock_object as mock
+from logilab.common.testlib import unittest_main, mock_object as mock
 
-from cubicweb.devtools import TestServerConfiguration, fake
+from cubicweb.devtools import fake
+from cubicweb.devtools.testlib import CubicWebTC
 from cubicweb.web import formwidgets, formfields
-
-from cubes.file.entities import File
+from cubicweb.web.views.forms import FieldsForm
 
 
-class WidgetsTC(TestCase):
-
-    @classmethod
-    def setUpClass(cls):
-        super(WidgetsTC, cls).setUpClass()
-        config = TestServerConfiguration('data', apphome=cls.datadir)
-        config.bootstrap_cubes()
-        cls.schema = config.load_schema()
-
-    @classmethod
-    def tearDownClass(cls):
-        del cls.schema
-        super(WidgetsTC, cls).tearDownClass()
+class WidgetsTC(CubicWebTC):
 
     def test_editableurl_widget(self):
         field = formfields.guess_field(self.schema['Bookmark'], self.schema['path'])
@@ -63,5 +51,21 @@
         self.assertEqual(widget.process_field_data(form, field),
                          3)
 
+    def test_xml_escape_checkbox(self):
+        class TestForm(FieldsForm):
+            bool = formfields.BooleanField(ignore_req_params=True,
+                choices=[('python >> others', '1')],
+                widget=formwidgets.CheckBox())
+        with self.admin_access.web_request() as req:
+            form = TestForm(req, None)
+            form.build_context()
+            field = form.field_by_name('bool')
+            widget = field.widget
+            self.assertMultiLineEqual(widget._render(form, field, None),
+                '<input id="bool" name="bool" tabindex="1" '
+                'type="checkbox" value="1" />&#160;'
+                'python &gt;&gt; others')
+
+
 if __name__ == '__main__':
     unittest_main()