Escape help text in form builder forms by default

This can be disabled with the setting WAGTAILFORMS_HELP_TEXT_ALLOW_HTML

docs/reference/settings.rst

@@ -547,3 +547,16 @@ By default the redirect importer keeps track of the uploaded file as a temp file
 .. code-block:: python
 
    WAGTAIL_REDIRECTS_FILE_STORAGE = 'cache'
+
+Form builder
+============
+
+.. versionadded:: 2.7.4/2.9.3
+
+    The ``WAGTAILFORMS_HELP_TEXT_ALLOW_HTML`` option was added.
+
+.. code-block:: python
+
+    WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True
+
+When true, HTML tags in form field help text will be rendered unescaped (default: False).

wagtail/contrib/forms/forms.py

@@ -1,6 +1,8 @@
 from collections import OrderedDict
 
 import django.forms
+from django.conf import settings
+from django.utils.html import conditional_escape
 from django.utils.translation import gettext_lazy as _
 
 from wagtail.admin.forms import WagtailAdminPageForm
@@ -114,7 +116,10 @@ class FormBuilder:
     def get_field_options(self, field):
         options = {}
         options['label'] = field.label
-        options['help_text'] = field.help_text
+        if getattr(settings, 'WAGTAILFORMS_HELP_TEXT_ALLOW_HTML', False):
+            options['help_text'] = field.help_text
+        else:
+            options['help_text'] = conditional_escape(field.help_text)
         options['required'] = field.required
         options['initial'] = field.default_value
         return options

wagtail/contrib/forms/tests/test_models.py

@@ -29,9 +29,18 @@ class TestFormSubmission(TestCase):
         self.assertTemplateUsed(response, 'tests/form_page.html')
         self.assertTemplateNotUsed(response, 'tests/form_page_landing.html')
 
+        # HTML in help text should be escaped
+        self.assertContains(response, "<em>please</em> be polite")
+
         # check that variables defined in get_context are passed through to the template (#1429)
         self.assertContains(response, "<p>hello world</p>")
 
+    @override_settings(WAGTAILFORMS_HELP_TEXT_ALLOW_HTML=True)
+    def test_get_form_without_help_text_escaping(self):
+        response = self.client.get('/contact-us/')
+        # HTML in help text should not be escaped
+        self.assertContains(response, "<em>please</em> be polite")
+
     def test_post_invalid_form(self):
         response = self.client.post('/contact-us/', {
             'your_email': 'bob',

wagtail/contrib/forms/tests/utils.py

@@ -28,6 +28,7 @@ def make_form_page(**kwargs):
         label="Your message",
         field_type='multiline',
         required=True,
+        help_text="<em>please</em> be polite"
     )
     FormField.objects.create(
         page=form_page,