Fixed #28902 -- Fixed password_validators_help_text_html() double escaping.

1 files changed, 10 insertions, 0 deletions

diff --git a/tests/auth_tests/test_validators.py b/tests/auth_tests/test_validators.py
index 068dec9981..d43efc6a3c 100644
--- a/tests/auth_tests/test_validators.py
+++ b/tests/auth_tests/test_validators.py
@@ -13,6 +13,7 @@ from django.core.exceptions import ValidationError
 from django.db import models
 from django.test import TestCase, override_settings
 from django.test.utils import isolate_apps
+from django.utils.html import conditional_escape
 
 
 @override_settings(AUTH_PASSWORD_VALIDATORS=[
@@ -68,6 +69,15 @@ class PasswordValidationTest(TestCase):
         self.assertEqual(help_text.count('<li>'), 2)
         self.assertIn('12 characters', help_text)
 
+    def test_password_validators_help_text_html_escaping(self):
+        class AmpersandValidator:
+            def get_help_text(self):
+                return 'Must contain &'
+        help_text = password_validators_help_text_html([AmpersandValidator()])
+        self.assertEqual(help_text, '<ul><li>Must contain &amp;</li></ul>')
+        # help_text is marked safe and therefore unchanged by conditional_escape().
+        self.assertEqual(help_text, conditional_escape(help_text))
+
     @override_settings(AUTH_PASSWORD_VALIDATORS=[])
     def test_empty_password_validator_help_text_html(self):
         self.assertEqual(password_validators_help_text_html(), '')