Merge pull request #279 from nopri/master

using safestr in web.form.Dropdown._render_option

web/form.py

@@ -253,7 +253,13 @@ def _render_option(self, arg, indent='  '):
         else:
             value, desc = arg, arg 
 
-        if self.value == value or (isinstance(self.value, list) and value in self.value):
+        value = utils.safestr(value)
+        if isinstance(self.value, (tuple, list)):
+            s_value = [utils.safestr(x) for x in self.value]
+        else:
+            s_value = utils.safestr(self.value)
+
+        if s_value == value or (isinstance(s_value, list) and value in s_value):
             select_p = ' selected="selected"'
         else:
             select_p = ''