Fixed #28902 -- Fixed password_validators_help_text_html() double escaping.

author: Alvin Lindstam <alvin.lindstam@gmail.com> 2018-01-03 01:51:06 +0100
committer: Tim Graham <timograham@gmail.com> 2018-01-02 19:51:06 -0500
commit: 2cb6b7732dc7b172797cebb1e8f19be2de89e264 (patch)
tree: 6528306d87bf35bfde9bf1f5d970c2baca1aeb52 /django/contrib/auth/password_validation.py
parent: c86e9b5847bc2853fc6a3fcfbf8daa56786d3210 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/django/contrib/auth/password_validation.py b/django/contrib/auth/password_validation.py
index 1350dec9c8..4c26e88ac8 100644
--- a/django/contrib/auth/password_validation.py
+++ b/django/contrib/auth/password_validation.py
@@ -9,7 +9,7 @@ from django.core.exceptions import (
     FieldDoesNotExist, ImproperlyConfigured, ValidationError,
 )
 from django.utils.functional import lazy
-from django.utils.html import format_html
+from django.utils.html import format_html, format_html_join
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext as _, ngettext
 
@@ -81,8 +81,8 @@ def _password_validators_help_text_html(password_validators=None):
     in an <ul>.
     """
     help_texts = password_validators_help_texts(password_validators)
-    help_items = [format_html('<li>{}</li>', help_text) for help_text in help_texts]
-    return '<ul>%s</ul>' % ''.join(help_items) if help_items else ''
+    help_items = format_html_join('', '<li>{}</li>', ((help_text,) for help_text in help_texts))
+    return format_html('<ul>{}</ul>', help_items) if help_items else ''
 
 
 password_validators_help_text_html = lazy(_password_validators_help_text_html, str)
author	Alvin Lindstam <alvin.lindstam@gmail.com>	2018-01-03 01:51:06 +0100
committer	Tim Graham <timograham@gmail.com>	2018-01-02 19:51:06 -0500
commit	2cb6b7732dc7b172797cebb1e8f19be2de89e264 (patch)
tree	6528306d87bf35bfde9bf1f5d970c2baca1aeb52 /django/contrib/auth/password_validation.py
parent	c86e9b5847bc2853fc6a3fcfbf8daa56786d3210 (diff)