Merged r69795:69796 from 2.9 branch.

ZTUtils.make_hidden_input did not escape double-quotes.
Fixes http://www.zope.org/Collectors/Zope/2175

lib/python/ZTUtils/Zope.py

@@ -200,7 +200,7 @@ def make_hidden_input(*args, **kwargs):
         d.update(arg)
     d.update(kwargs)
 
-    hq = cgi.escape
+    hq = lambda x:cgi.escape(x, quote=True)
     qlist = complex_marshal(d.items())
     for i in range(len(qlist)):
         k, m, v = qlist[i]

lib/python/ZTUtils/tests/testZope.py

@@ -5,6 +5,7 @@ from unittest import TestCase, makeSuite, main
 import string
 import urllib
 from ZTUtils.Zope import make_query, complex_marshal
+from ZTUtils.Zope import make_hidden_input
 from DateTime import DateTime
 
 class QueryTests(TestCase):
@@ -50,6 +51,18 @@ class QueryTests(TestCase):
                            record=record, string=str_)
         assert query == 'date:date=%s&integer:int=1&listing:int:list=1&listing:date:list=%s&listing:list=str&string=str&record.arg1:int:list:record=1&record.arg1:date:list:record=%s&record.arg1:list:record=str&record.arg2:int:record=1'%(quote_date,quote_date,quote_date)
 
+    def testMakeHiddenInput(self):
+        tag = make_hidden_input(foo='bar')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="bar">')
+        tag = make_hidden_input(foo=1)
+        self.assertEqual(tag, '<input type="hidden" name="foo:int" value="1">')
+        # Escaping
+        tag = make_hidden_input(foo='bar & baz')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="bar &amp; baz">')
+        tag = make_hidden_input(foo='<bar>')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="&lt;bar&gt;">')
+        tag = make_hidden_input(foo='"bar"')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="&quot;bar&quot;">')
 
 def test_suite():
     return makeSuite(QueryTests)