Escape unsafe characters in label text, fixed #315

tests/test_fields.py

@@ -74,6 +74,17 @@ def test_override_for(self):
         self.assertEqual(label(for_='foo'), """<label for="foo">Caption</label>""")
         self.assertEqual(label(**{'for': 'bar'}), """<label for="bar">Caption</label>""")
 
+    def test_escaped_label_text(self):
+        label = Label('test', '<script>alert("test");</script>')
+        self.assertEqual(
+            label(for_='foo'),
+            """<label for="foo">&lt;script&gt;alert(&quot;test&quot;);&lt;/script&gt;</label>"""
+        )
+        self.assertEqual(
+            label(**{'for': 'bar'}),
+            """<label for="bar">&lt;script&gt;alert(&quot;test&quot;);&lt;/script&gt;</label>"""
+        )
+
 
 class FlagsTest(TestCase):
     def setUp(self):

wtforms/fields/core.py

@@ -383,7 +383,7 @@ class Label(object):
     """
     def __init__(self, field_id, text):
         self.field_id = field_id
-        self.text = text
+        self.text = widgets.escape_html(text)
 
     def __str__(self):
         return self()
@@ -401,7 +401,12 @@ def __call__(self, text=None, **kwargs):
             kwargs.setdefault('for', self.field_id)
 
         attributes = widgets.html_params(**kwargs)
-        return Markup('<label %s>%s</label>' % (attributes, text or self.text))
+        if text:
+            text = widgets.escape_html(text)
+
+        return widgets.HTMLString(
+            '<label %s>%s</label>' % (attributes, text or self.text)
+        )
 
     def __repr__(self):
         return 'Label(%r, %r)' % (self.field_id, self.text)