Fixed #11502 - wrong escaping in admin.

Thanks Tomasz Elendt. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11497 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Luke Plant <L.Plant.98@cantab.net> 2009-09-11 09:42:17 +0000
committer: Luke Plant <L.Plant.98@cantab.net> 2009-09-11 09:42:17 +0000
commit: 4decf03f9ceb0162a7de757cdb3985100faf028b (patch)
tree: 9a63eaac4eba04184dc31a05bfe61948693fa4b5 /django/contrib/admin/widgets.py
parent: 49cf7f4a5108431f4bcc4ea69c40a69e9379b3b5 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index eacea44a31..fb5acb5295 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -7,6 +7,7 @@ import copy
 from django import forms
 from django.forms.widgets import RadioFieldRenderer
 from django.forms.util import flatatt
+from django.utils.html import escape
 from django.utils.text import truncate_words
 from django.utils.translation import ugettext as _
 from django.utils.safestring import mark_safe
@@ -148,7 +149,7 @@ class ForeignKeyRawIdWidget(forms.TextInput):
     def label_for_value(self, value):
         key = self.rel.get_related_field().name
         obj = self.rel.to._default_manager.get(**{key: value})
-        return '&nbsp;<strong>%s</strong>' % truncate_words(obj, 14)
+        return '&nbsp;<strong>%s</strong>' % escape(truncate_words(obj, 14))
 
 class ManyToManyRawIdWidget(ForeignKeyRawIdWidget):
     """
author	Luke Plant <L.Plant.98@cantab.net>	2009-09-11 09:42:17 +0000
committer	Luke Plant <L.Plant.98@cantab.net>	2009-09-11 09:42:17 +0000
commit	4decf03f9ceb0162a7de757cdb3985100faf028b (patch)
tree	9a63eaac4eba04184dc31a05bfe61948693fa4b5 /django/contrib/admin/widgets.py
parent	49cf7f4a5108431f4bcc4ea69c40a69e9379b3b5 (diff)