--- a/web/views/editforms.py	Tue Jan 12 17:24:46 2010 +0100
+++ b/web/views/editforms.py	Wed Jan 13 18:04:29 2010 +0100
@@ -91,8 +91,8 @@
         w(u'<ul>\n')
         for entity in self.rset.entities():
             # don't use outofcontext view or any other that may contain inline edition form
-            w(u'<li>%s</li>' % tags.a(entity.view('textoutofcontext'),
-                                      href=entity.absolute_url()))
+            w(u'<li>%s</li>' % tags.a(xml_escape(entity.view('textoutofcontext')),
+                                      href=xml_escape(entity.absolute_url())))
         w(u'</ul>\n')
         w(form.render())