--- a/web/views/editforms.py	Wed May 13 11:01:40 2009 +0200
+++ b/web/views/editforms.py	Wed May 13 11:02:40 2009 +0200
@@ -102,10 +102,11 @@
             if getattr(entity, rtype) is None:
                 value = default or self.req._('not specified')
             else:
-                value = entity.printable_value(rtype)
+                value = html_escape(entity.printable_value(rtype))
         else:
             rset = entity.related(rtype, role)
-            value = self.view(vid, rset, 'null') or default
+            # XXX html_escape but that depends of the actual vid
+            value = html_escape(self.view(vid, rset, 'null') or default)
         if not entity.has_perm('update'):
             self.w(value)
             return