# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1261569953 -3600
# Node ID 4458c7cc193bbfe4c19a0586a27fc323a596341d
# Parent  e972fc3067193c93895ed48f52d17bde051b8dbb
must escape user_rql_callback

diff -r e972fc306719 -r 4458c7cc193b web/box.py
--- a/web/box.py	Wed Dec 23 11:57:03 2009 +0100
+++ b/web/box.py	Wed Dec 23 13:05:53 2009 +0100
@@ -190,7 +190,7 @@
         args = {role[0] : entity.eid, target[0] : etarget.eid}
         url = self.user_rql_callback((rql, args))
         # for each target, provide a link to edit the relation
-        label = u'[<a href="%s">%s</a>] %s' % (url, label,
+        label = u'[<a href="%s">%s</a>] %s' % (xml_escape(url), label,
                                                etarget.view('incontext'))
         return RawBoxItem(label, liclass=u'invisible')