button label needs escaping

zopefoundation · Nov 16, 2009 · 832edf0 · 832edf0
1 parent 49b5678
commit 832edf0
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/zope/formlib/form.py b/src/zope/formlib/form.py
@@ -18,6 +18,7 @@
 import re
 import sys
 import pytz
+from cgi import escape
 
 import zope.event
 import zope.i18n
@@ -618,7 +619,7 @@ def render_submit_button(self):
         label = zope.i18n.translate(self.label, context=self.form.request)
     return ('<input type="submit" id="%s" name="%s" value="%s"'
             ' class="button" />' %
-            (self.__name__, self.__name__, label)
+            (self.__name__, self.__name__, escape(label))
             )
 
 class action: