[1.8.x] Refs #24469 -- Fixed escaping of forms, fields, and media in non-Django templates.

Backport of 6bff3439894ac22d80f270f36513fc86586273f3 from master

5 files changed, 37 insertions, 1 deletions

diff --git a/django/forms/forms.py b/django/forms/forms.py
index 16fc5b00f2..869cc83283 100644
--- a/django/forms/forms.py
+++ b/django/forms/forms.py
@@ -138,6 +138,9 @@ class BaseForm(object):
         self.fields = copy.deepcopy(self.base_fields)
         self._bound_fields_cache = {}
 
+    def __html__(self):
+        return force_text(self)
+
     def __str__(self):
         return self.as_table()
 
@@ -534,6 +537,9 @@ class BoundField(object):
         self.help_text = field.help_text or ''
         self._initial_value = UNSET
 
+    def __html__(self):
+        return force_text(self)
+
     def __str__(self):
         """Renders this field as an HTML widget."""
         if self.field.show_hidden_initial:
diff --git a/django/forms/widgets.py b/django/forms/widgets.py
index 0ed7613d0f..811852bb0b 100644
--- a/django/forms/widgets.py
+++ b/django/forms/widgets.py
@@ -44,6 +44,9 @@ class Media(object):
         for name in MEDIA_TYPES:
             getattr(self, 'add_' + name)(media_attrs.get(name, None))
 
+    def __html__(self):
+        return force_text(self)
+
     def __str__(self):
         return self.render()
 
diff --git a/tests/template_backends/jinja2/template_backends/django_escaping.html b/tests/template_backends/jinja2/template_backends/django_escaping.html
new file mode 100644
index 0000000000..a5ce51b109
--- /dev/null
+++ b/tests/template_backends/jinja2/template_backends/django_escaping.html
@@ -0,0 +1,5 @@
+{{ media }}
+
+{{ test_form }}
+
+{{ test_form.test_field }}
diff --git a/tests/template_backends/templates/template_backends/django_escaping.html b/tests/template_backends/templates/template_backends/django_escaping.html
new file mode 100644
index 0000000000..a5ce51b109
--- /dev/null
+++ b/tests/template_backends/templates/template_backends/django_escaping.html
@@ -0,0 +1,5 @@
+{{ media }}
+
+{{ test_form }}
+
+{{ test_form.test_field }}
diff --git a/tests/template_backends/test_dummy.py b/tests/template_backends/test_dummy.py
index 5f9a8dccb3..b529b70756 100644
--- a/tests/template_backends/test_dummy.py
+++ b/tests/template_backends/test_dummy.py
@@ -2,6 +2,7 @@
 
 from __future__ import unicode_literals
 
+from django.forms import CharField, Form, Media
 from django.http import HttpRequest
 from django.middleware.csrf import CsrfViewMiddleware, get_token
 from django.template import TemplateDoesNotExist, TemplateSyntaxError
@@ -43,7 +44,7 @@ class TemplateStringsTests(SimpleTestCase):
         # There's no way to trigger a syntax error with the dummy backend.
         # The test still lives here to factor it between other backends.
         if self.backend_name == 'dummy':
-            return
+            self.skipTest("test doesn't apply to dummy backend")
         with self.assertRaises(TemplateSyntaxError):
             self.engine.get_template('template_backends/syntax_error.html')
 
@@ -55,6 +56,22 @@ class TemplateStringsTests(SimpleTestCase):
         self.assertIn('<script>', content)
         self.assertNotIn('<script>', content)
 
+    def test_django_html_escaping(self):
+        if self.backend_name == 'dummy':
+            self.skipTest("test doesn't apply to dummy backend")
+
+        class TestForm(Form):
+            test_field = CharField()
+
+        media = Media(js=['my-script.js'])
+        form = TestForm()
+        template = self.engine.get_template('template_backends/django_escaping.html')
+        content = template.render({'media': media, 'test_form': form})
+
+        expected = '{}\n\n{}\n\n{}'.format(media, form, form['test_field'])
+
+        self.assertHTMLEqual(content, expected)
+
     def test_csrf_token(self):
         request = HttpRequest()
         CsrfViewMiddleware().process_view(request, lambda r: None, (), {})