# HG changeset patch
# User sylvain.thenault@logilab.fr
# Date 1242205360 -7200
# Node ID 311026c9073a0676538f0433eea67fdf39c0ba9d
# Parent  f450f1594992cc62b570158458c5b1692b0da943
xhmlt fix

diff -r f450f1594992 -r 311026c9073a web/views/editforms.py
--- a/web/views/editforms.py	Wed May 13 11:01:40 2009 +0200
+++ b/web/views/editforms.py	Wed May 13 11:02:40 2009 +0200
@@ -102,10 +102,11 @@
             if getattr(entity, rtype) is None:
                 value = default or self.req._('not specified')
             else:
-                value = entity.printable_value(rtype)
+                value = html_escape(entity.printable_value(rtype))
         else:
             rset = entity.related(rtype, role)
-            value = self.view(vid, rset, 'null') or default
+            # XXX html_escape but that depends of the actual vid
+            value = html_escape(self.view(vid, rset, 'null') or default)
         if not entity.has_perm('update'):
             self.w(value)
             return