Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
use xml_escape stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Tue, 07 Jul 2009 13:26:44 +0200
branchstable
changeset 2312 af4d8f75c5db
parent 2311 f178182b1305
child 2313 2940c2341ae4
use xml_escape
common/uilib.py file | annotate | diff | comparison | revisions
entity.py file | annotate | diff | comparison | revisions
ext/html4zope.py file | annotate | diff | comparison | revisions
ext/rest.py file | annotate | diff | comparison | revisions
goa/appobjects/components.py file | annotate | diff | comparison | revisions
goa/appobjects/dbmgmt.py file | annotate | diff | comparison | revisions
view.py file | annotate | diff | comparison | revisions
web/box.py file | annotate | diff | comparison | revisions
web/component.py file | annotate | diff | comparison | revisions
web/facet.py file | annotate | diff | comparison | revisions
web/formfields.py file | annotate | diff | comparison | revisions
web/htmlwidgets.py file | annotate | diff | comparison | revisions
web/request.py file | annotate | diff | comparison | revisions
web/views/basecomponents.py file | annotate | diff | comparison | revisions
web/views/basecontrollers.py file | annotate | diff | comparison | revisions
web/views/baseforms.py file | annotate | diff | comparison | revisions
web/views/basetemplates.py file | annotate | diff | comparison | revisions
web/views/baseviews.py file | annotate | diff | comparison | revisions
web/views/bookmark.py file | annotate | diff | comparison | revisions
web/views/boxes.py file | annotate | diff | comparison | revisions
web/views/calendar.py file | annotate | diff | comparison | revisions
web/views/cwproperties.py file | annotate | diff | comparison | revisions
web/views/cwuser.py file | annotate | diff | comparison | revisions
web/views/debug.py file | annotate | diff | comparison | revisions
web/views/editforms.py file | annotate | diff | comparison | revisions
web/views/editviews.py file | annotate | diff | comparison | revisions
web/views/emailaddress.py file | annotate | diff | comparison | revisions
web/views/facets.py file | annotate | diff | comparison | revisions
web/views/formrenderers.py file | annotate | diff | comparison | revisions
web/views/ibreadcrumbs.py file | annotate | diff | comparison | revisions
web/views/idownloadable.py file | annotate | diff | comparison | revisions
web/views/iprogress.py file | annotate | diff | comparison | revisions
web/views/isioc.py file | annotate | diff | comparison | revisions
web/views/management.py file | annotate | diff | comparison | revisions
web/views/navigation.py file | annotate | diff | comparison | revisions
web/views/old_calendar.py file | annotate | diff | comparison | revisions
web/views/plots.py file | annotate | diff | comparison | revisions
web/views/primary.py file | annotate | diff | comparison | revisions
web/views/schema.py file | annotate | diff | comparison | revisions
web/views/startup.py file | annotate | diff | comparison | revisions
web/views/tableview.py file | annotate | diff | comparison | revisions
web/views/tabs.py file | annotate | diff | comparison | revisions
web/views/timeline.py file | annotate | diff | comparison | revisions
web/views/timetable.py file | annotate | diff | comparison | revisions
web/views/treeview.py file | annotate | diff | comparison | revisions
web/views/workflow.py file | annotate | diff | comparison | revisions
web/views/xbel.py file | annotate | diff | comparison | revisions
web/widgets.py file | annotate | diff | comparison | revisions 
--- a/common/uilib.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/common/uilib.py	Tue Jul 07 13:26:44 2009 +0200
@@ -15,7 +15,7 @@
 from urllib import quote as urlquote
 from StringIO import StringIO
 
-from logilab.mtconverter import html_escape, html_unescape
+from logilab.mtconverter import xml_escape, html_unescape
 
 from cubicweb.utils import ustrftime
 
@@ -66,7 +66,7 @@
 except ImportError:
     def rest_publish(entity, data):
         """default behaviour if docutils was not found"""
-        return html_escape(data)
+        return xml_escape(data)
 
 TAG_PROG = re.compile(r'</?.*?>', re.U)
 def remove_html_tags(text):
@@ -108,7 +108,7 @@
     if len(text_nohtml) <= length:
         return text
     # else if un-tagged text is too long, cut it
-    return html_escape(text_nohtml[:length] + u'...')
+    return xml_escape(text_nohtml[:length] + u'...')
 
 fallback_safe_cut = safe_cut
 
@@ -220,12 +220,12 @@
             attrs['class'] = attrs.pop('klass')
         except KeyError:
             pass
-        value += u' ' + u' '.join(u'%s="%s"' % (attr, html_escape(unicode(value)))
+        value += u' ' + u' '.join(u'%s="%s"' % (attr, xml_escape(unicode(value)))
                                   for attr, value in sorted(attrs.items())
                                   if value is not None)
     if content:
         if escapecontent:
-            content = html_escape(unicode(content))
+            content = xml_escape(unicode(content))
         value += u'>%s</%s>' % (content, tag)
     else:
         value += u'/>'
@@ -406,9 +406,9 @@
         strings.append(body)
         strings.append(u'</div>')
     if title:
-        strings.append(u'<h1 class="error">%s</h1>'% html_escape(title))
+        strings.append(u'<h1 class="error">%s</h1>'% xml_escape(title))
     try:
-        strings.append(u'<p class="error">%s</p>' % html_escape(str(exception)).replace("\n","<br />"))
+        strings.append(u'<p class="error">%s</p>' % xml_escape(str(exception)).replace("\n","<br />"))
     except UnicodeError:
         pass
     strings.append(u'<div class="error_traceback">')
@@ -416,9 +416,9 @@
         strings.append(u'<b>File</b> <b class="file">%s</b>, <b>line</b> '
                        u'<b class="line">%s</b>, <b>function</b> '
                        u'<b class="function">%s</b>:<br/>'%(
-            html_escape(stackentry[0]), stackentry[1], html_escape(stackentry[2])))
+            xml_escape(stackentry[0]), stackentry[1], xml_escape(stackentry[2])))
         if stackentry[3]:
-            string = html_escape(stackentry[3]).decode('utf-8', 'replace')
+            string = xml_escape(stackentry[3]).decode('utf-8', 'replace')
             strings.append(u'&nbsp;&nbsp;%s<br/>\n' % (string))
         # add locals info for each entry
         try:
@@ -426,7 +426,7 @@
             html_info = []
             chars = 0
             for name, value in local_context.iteritems():
-                value = html_escape(repr(value))
+                value = xml_escape(repr(value))
                 info = u'<span class="name">%s</span>=%s, ' % (name, value)
                 line_length = len(name) + len(value)
                 chars += line_length
@@ -491,5 +491,5 @@
     def newfunc(*args, **kwargs):
         ret = function(*args, **kwargs)
         assert isinstance(ret, basestring)
-        return html_escape(ret)
+        return xml_escape(ret)
     return newfunc
--- a/entity.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/entity.py	Tue Jul 07 13:26:44 2009 +0200
@@ -13,7 +13,7 @@
 from logilab.common.compat import all
 from logilab.common.decorators import cached
 from logilab.common.deprecation import obsolete
-from logilab.mtconverter import TransformData, TransformError, html_escape
+from logilab.mtconverter import TransformData, TransformError, xml_escape
 
 from rql.utils import rqlvar_maker
 
@@ -456,7 +456,7 @@
             return u''
         value = printable_value(self.req, attrtype, value, props, displaytime)
         if format == 'text/html':
-            value = html_escape(value)
+            value = xml_escape(value)
         return value
 
     def mtc_transform(self, data, format, target_format, encoding,
--- a/ext/html4zope.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/ext/html4zope.py	Tue Jul 07 13:26:44 2009 +0200
@@ -24,7 +24,7 @@
 
 __docformat__ = 'reStructuredText'
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from docutils import nodes
 from docutils.writers.html4css1 import Writer as CSS1Writer
@@ -154,7 +154,7 @@
         error = u'System Message: %s%s/%s%s (%s %s)%s</p>\n' % (
             a_start, node['type'], node['level'], a_end,
             self.encode(node['source']), line, backref_text)
-        self.body.append(u'<div class="system-message"><b>ReST / HTML errors:</b>%s</div>' % html_escape(error))
+        self.body.append(u'<div class="system-message"><b>ReST / HTML errors:</b>%s</div>' % xml_escape(error))
 
     def depart_system_message(self, node):
         pass
--- a/ext/rest.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/ext/rest.py	Tue Jul 07 13:26:44 2009 +0200
@@ -29,7 +29,7 @@
 from docutils.parsers.rst import Parser, states, directives
 from docutils.parsers.rst.roles import register_canonical_role, set_classes
 
-from logilab.mtconverter import ESC_UCAR_TABLE, ESC_CAR_TABLE, html_escape
+from logilab.mtconverter import ESC_UCAR_TABLE, ESC_CAR_TABLE, xml_escape
 
 from cubicweb.ext.html4zope import Writer
 
@@ -236,5 +236,5 @@
         LOGGER.exception('error while publishing ReST text')
         if not isinstance(data, unicode):
             data = unicode(data, encoding, 'replace')
-        return html_escape(req._('error while publishing ReST text')
+        return xml_escape(req._('error while publishing ReST text')
                            + '\n\n' + data)
--- a/goa/appobjects/components.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/goa/appobjects/components.py	Tue Jul 07 13:26:44 2009 +0200
@@ -7,7 +7,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import typed_eid
 from cubicweb.selectors import one_line_rset, match_search_state, accept
@@ -74,7 +74,7 @@
         label = display_name(req, etype, 'plural')
         view = self.vreg.select_view('list', req, req.etype_rset(etype))
         url = view.url()
-        etypelink = u'&nbsp;<a href="%s">%s</a>' % (html_escape(url), label)
+        etypelink = u'&nbsp;<a href="%s">%s</a>' % (xml_escape(url), label)
         yield (label, etypelink, self.add_entity_link(eschema, req))
 
 ManageView.entity_types = entity_types_no_count
--- a/goa/appobjects/dbmgmt.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/goa/appobjects/dbmgmt.py	Tue Jul 07 13:26:44 2009 +0200
@@ -12,7 +12,7 @@
 from pickle import loads, dumps
 
 from logilab.common.decorators import cached
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import none_rset, match_user_groups
 from cubicweb.common.view import StartupView
@@ -54,7 +54,7 @@
                     break
         values.append('__session=%s' % cookie['__session'].value)
         self.w(u"<p>pass this flag to the client: --cookie='%s'</p>"
-               % html_escape('; '.join(values)))
+               % xml_escape('; '.join(values)))
 
 
 
@@ -148,7 +148,7 @@
                          % cpath)
                 self.w(u'<div>click <a href="%s?vid=contentclear">here</a> to '
                        '<b>delete all datastore content</b> so process can be '
-                       'reinitialized</div>' % html_escape(self.req.base_url()))
+                       'reinitialized</div>' % xml_escape(self.req.base_url()))
         Put(status)
 
     @property
@@ -159,11 +159,11 @@
                                              repo=self.config.repository())
 
     def msg(self, msg):
-        self.w(u'<div class="message">%s</div>' % html_escape(msg))
+        self.w(u'<div class="message">%s</div>' % xml_escape(msg))
     def redirect(self, msg):
         raise Redirect(self.req.build_url('', msg))
     def continue_link(self):
-        self.w(u'<a href="%s">continue</a><br/>' % html_escape(self.req.url()))
+        self.w(u'<a href="%s">continue</a><br/>' % xml_escape(self.req.url()))
 
 
 class ContentClear(StartupView):
--- a/view.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/view.py	Tue Jul 07 13:26:44 2009 +0200
@@ -12,7 +12,7 @@
 from cStringIO import StringIO
 
 from logilab.common.deprecation import obsolete
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import NotAnEntity
 from cubicweb.selectors import yes, non_final_entity, nonempty_rset, none_rset
@@ -219,7 +219,7 @@
 
     def wdata(self, data):
         """simple helper that escapes `data` and writes into `self.w`"""
-        self.w(html_escape(data))
+        self.w(xml_escape(data))
 
     def html_headers(self):
         """return a list of html headers (eg something to be inserted between
@@ -440,10 +440,10 @@
             def cb(*args):
                 _cb(*args)
         cbname = self.req.register_onetime_callback(cb, *args)
-        return self.build_js(cbname, html_escape(msg or ''))
+        return self.build_js(cbname, xml_escape(msg or ''))
 
     def build_update_js_call(self, cbname, msg):
-        rql = html_escape(self.rset.printable_rql())
+        rql = xml_escape(self.rset.printable_rql())
         return "javascript:userCallbackThenUpdateUI('%s', '%s', '%s', '%s', '%s', '%s')" % (
             cbname, self.id, rql, msg, self.__registry__, self.div_id())
 
--- a/web/box.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/box.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import Unauthorized, role as get_role, target as get_target
 from cubicweb.selectors import (one_line_rset,  primary_view,
@@ -74,7 +74,7 @@
         .format_actions method
         """
         if escape:
-            title = html_escape(title)
+            title = xml_escape(title)
         return self.box_action(self._action(title, path, **kwargs))
 
     def _action(self, title, path, **kwargs):
--- a/web/component.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/component.py	Tue Jul 07 13:26:44 2009 +0200
@@ -9,7 +9,7 @@
 _ = unicode
 
 from logilab.common.deprecation import class_renamed
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import role
 from cubicweb.utils import merge_dicts
@@ -117,7 +117,7 @@
     def page_link(self, path, params, start, stop, content):
         url = self.build_url(path, **merge_dicts(params, {self.start_param : start,
                                                           self.stop_param : stop,}))
-        url = html_escape(url)
+        url = xml_escape(url)
         if start == self.starting_from:
             return self.selected_page_link_templ % (url, content, content)
         return self.page_link_templ % (url, content, content)
@@ -130,7 +130,7 @@
         stop = start + self.page_size - 1
         url = self.build_url(**merge_dicts(params, {self.start_param : start,
                                                     self.stop_param : stop,}))
-        url = html_escape(url)
+        url = xml_escape(url)
         return self.previous_page_link_templ % (url, title, content)
 
     def next_link(self, params, content='&gt;&gt;', title=_('next_results')):
@@ -140,7 +140,7 @@
         stop = start + self.page_size - 1
         url = self.build_url(**merge_dicts(params, {self.start_param : start,
                                                     self.stop_param : stop,}))
-        url = html_escape(url)
+        url = xml_escape(url)
         return self.next_page_link_templ % (url, title, content)
 
 
--- a/web/facet.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/facet.py	Tue Jul 07 13:26:44 2009 +0200
@@ -12,7 +12,7 @@
 from copy import deepcopy
 from datetime import date, datetime, timedelta
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from logilab.common.graph import has_path
 from logilab.common.decorators import cached
@@ -71,7 +71,7 @@
 def filter_hiddens(w, **kwargs):
     for key, val in kwargs.items():
         w(u'<input type="hidden" name="%s" value="%s" />' % (
-            key, html_escape(val)))
+            key, xml_escape(val)))
 
 
 def _may_be_removed(rel, schema, mainvar):
@@ -587,11 +587,11 @@
         self.items.append(item)
 
     def _render(self):
-        title = html_escape(self.facet.title)
-        facetid = html_escape(self.facet.id)
+        title = xml_escape(self.facet.title)
+        facetid = xml_escape(self.facet.id)
         self.w(u'<div id="%s" class="facet">\n' % facetid)
         self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
-               (html_escape(facetid), title))
+               (xml_escape(facetid), title))
         if self.facet.support_and():
             _ = self.facet.req._
             self.w(u'''<select name="%s" class="radio facetOperator" title="%s">
@@ -617,8 +617,8 @@
         self.value = None
 
     def _render(self):
-        title = html_escape(self.facet.title)
-        facetid = html_escape(self.facet.id)
+        title = xml_escape(self.facet.title)
+        facetid = xml_escape(self.facet.id)
         self.w(u'<div id="%s" class="facet">\n' % facetid)
         self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
                (facetid, title))
@@ -661,7 +661,7 @@
         facet.req.add_js('ui.slider.js')
         facet.req.add_css('ui.all.css')
         sliderid = make_uid('the slider')
-        facetid = html_escape(self.facet.id)
+        facetid = xml_escape(self.facet.id)
         facet.req.html_headers.add_onload(self.onload % {
             'sliderid': sliderid,
             'facetid': facetid,
@@ -669,7 +669,7 @@
             'maxvalue': self.maxvalue,
             'formatter': self.formatter,
             })
-        title = html_escape(self.facet.title)
+        title = xml_escape(self.facet.title)
         self.w(u'<div id="%s" class="facet">\n' % facetid)
         self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
                (facetid, title))
@@ -721,9 +721,9 @@
             imgsrc = self.req.datadir_url + self.unselected_img
             imgalt = self.req._('not selected')
         self.w(u'<div class="facetValue facetCheckBox%s" cubicweb:value="%s">\n'
-               % (cssclass, html_escape(unicode(self.value))))
+               % (cssclass, xml_escape(unicode(self.value))))
         self.w(u'<img src="%s" alt="%s"/>&nbsp;' % (imgsrc, imgalt))
-        self.w(u'<a href="javascript: {}">%s</a>' % html_escape(self.label))
+        self.w(u'<a href="javascript: {}">%s</a>' % xml_escape(self.label))
         self.w(u'</div>')
 
 class CheckBoxFacetWidget(HTMLWidget):
@@ -737,8 +737,8 @@
         self.selected = selected
 
     def _render(self):
-        title = html_escape(self.facet.title)
-        facetid = html_escape(self.facet.id)
+        title = xml_escape(self.facet.title)
+        facetid = xml_escape(self.facet.id)
         self.w(u'<div id="%s" class="facet">\n' % facetid)
         if self.selected:
             cssclass = ' facetValueSelected'
@@ -749,7 +749,7 @@
             imgsrc = self.req.datadir_url + self.unselected_img
             imgalt = self.req._('not selected')
         self.w(u'<div class="facetValue facetCheckBox%s" cubicweb:value="%s">\n'
-               % (cssclass, html_escape(unicode(self.value))))
+               % (cssclass, xml_escape(unicode(self.value))))
         self.w(u'<div class="facetCheckBoxWidget">')
         self.w(u'<img src="%s" alt="%s" cubicweb:unselimg="true" />&nbsp;' % (imgsrc, imgalt))
         self.w(u'<label class="facetTitle" cubicweb:facetName="%s"><a href="javascript: {}">%s</a></label>' % (facetid, title))
--- a/web/formfields.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/formfields.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 from warnings import warn
 from datetime import datetime
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 from yams.constraints import SizeConstraint, StaticVocabularyConstraint
 
 from cubicweb.schema import FormatConstraint
@@ -300,9 +300,9 @@
         if self.format_field or self.encoding_field:
             divid = '%s-advanced' % form.context[self]['name']
             wdgs.append(u'<a href="%s" title="%s"><img src="%s" alt="%s"/></a>' %
-                        (html_escape(uilib.toggle_action(divid)),
+                        (xml_escape(uilib.toggle_action(divid)),
                          form.req._('show advanced fields'),
-                         html_escape(form.req.build_url('data/puce_down.png')),
+                         xml_escape(form.req.build_url('data/puce_down.png')),
                          form.req._('show advanced fields')))
             wdgs.append(u'<div id="%s" class="hidden">' % divid)
             if self.format_field:
--- a/web/htmlwidgets.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/htmlwidgets.py	Tue Jul 07 13:26:44 2009 +0200
@@ -9,7 +9,7 @@
 :license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
 """
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.utils import UStringIO
 from cubicweb.common.uilib import toggle_action
@@ -81,7 +81,7 @@
             self.w(u'<div class="%s">' % self._class)
         if self.title:
             if self.escape:
-                title = '<span>%s</span>' % html_escape(self.title)
+                title = '<span>%s</span>' % xml_escape(self.title)
             else:
                 title = '<span>%s</span>' % self.title
             self.w(u'<div class="%s">%s</div>' % (self.title_class, title))
@@ -204,7 +204,7 @@
     def __init__(self, href, label, _class='', title='', ident='', escape=False):
         self.href = href
         if escape:
-            self.label = html_escape(label)
+            self.label = xml_escape(label)
         else:
             self.label = label
         self._class = _class or ''
@@ -213,7 +213,7 @@
 
     def _render(self):
         link = u'<a href="%s" title="%s">%s</a>' % (
-            html_escape(self.href), html_escape(self.title), self.label)
+            xml_escape(self.href), xml_escape(self.title), self.label)
         if self.ident:
             self.w(u'<li id="%s" class="%s">%s</li>\n' % (self.ident, self._class, link))
         else:
--- a/web/request.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/request.py	Tue Jul 07 13:26:44 2009 +0200
@@ -20,7 +20,7 @@
 from logilab.common.decorators import cached
 from logilab.common.deprecation import obsolete
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.dbapi import DBAPIRequest
 from cubicweb.common.mail import header
@@ -505,7 +505,7 @@
         url = self.build_url('view', rql=rql, vid=vid, __notemplate=1,
                              **extraparams)
         return "javascript: loadxhtml('%s', '%s', '%s')" % (
-            nodeid, html_escape(url), replacemode)
+            nodeid, xml_escape(url), replacemode)
 
     # urls/path management ####################################################
 
--- a/web/views/basecomponents.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/basecomponents.py	Tue Jul 07 13:26:44 2009 +0200
@@ -15,7 +15,7 @@
 
 from cubicweb.selectors import yes, two_etypes_rset, match_form_params
 from cubicweb.schema import display_name
-from cubicweb.common.uilib import html_escape, toggle_action
+from cubicweb.common.uilib import xml_escape, toggle_action
 from cubicweb.web import component
 from cubicweb.web.htmlwidgets import (MenuWidget, PopupBoxMenu, BoxSeparator,
                                       BoxLink)
@@ -47,7 +47,7 @@
 <input type="submit" value="" class="rqlsubmit" tabindex="%s" />
 </fieldset>
 ''' % (not self.propval('visible') and 'hidden' or '',
-       self.build_url('view'), html_escape(rql), req._('full text or RQL query'), req.next_tabindex(),
+       self.build_url('view'), xml_escape(rql), req._('full text or RQL query'), req.next_tabindex(),
         req.next_tabindex()))
         if self.req.search_state[0] != 'normal':
             self.w(u'<input type="hidden" name="__mode" value="%s"/>'
@@ -202,7 +202,7 @@
                 url = self.build_url(rql=newrql, __restrrql=restrrql,
                                      __restrtype=etype, __restrtypes=','.join(restrtypes))
                 html.append(u'<span><a href="%s">%s</a></span>' % (
-                        html_escape(url), elabel))
+                        xml_escape(url), elabel))
                 rqlst.recover()
         if on_etype:
             url = self.build_url(rql=restrrql)
--- a/web/views/basecontrollers.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/basecontrollers.py	Tue Jul 07 13:26:44 2009 +0200
@@ -15,7 +15,7 @@
 import simplejson
 
 from logilab.common.decorators import cached
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import NoSelectableObject, ValidationError, ObjectNotFound, typed_eid
 from cubicweb.utils import strptime
@@ -411,7 +411,7 @@
             if rset:
                 output = self.view(vid, rset)
                 if vid == 'textoutofcontext':
-                    output = html_escape(output)
+                    output = xml_escape(output)
             else:
                 output = default
             return (success, args, output)
--- a/web/views/baseforms.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/baseforms.py	Tue Jul 07 13:26:44 2009 +0200
@@ -12,7 +12,7 @@
 
 from simplejson import dumps
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 from logilab.common.decorators import cached
 
 from cubicweb.selectors import (specified_etype_implements, accepts_etype_compat,
@@ -148,7 +148,7 @@
         output = []
         for name, value, iid in self._hiddens:
             if isinstance(value, basestring):
-                value = html_escape(value)
+                value = xml_escape(value)
             if iid:
                 output.append(u'<input id="%s" type="hidden" name="%s" value="%s" />'
                               % (iid, name, value))
@@ -249,14 +249,14 @@
                 w(u'<a class="handle" title="%s" href="%s">[x]</a>' %
                   (_('cancel this insert'), row[2]))
                 w(u'<a id="a%s" class="editionPending" href="%s">%s</a>'
-                  % (row[1], row[4], html_escape(row[5])))
+                  % (row[1], row[4], xml_escape(row[5])))
                 w(u'</td>')
                 w(u'</tr>')
         w(u'<tr id="relationSelectorRow_%s" class="separator">' % eid)
         w(u'<th class="labelCol">')
         w(u'<span>%s</span>' % _('add relation'))
         w(u'<select id="relationSelector_%s" tabindex="%s" onchange="javascript:showMatchingSelect(this.options[this.selectedIndex].value,%s);">'
-          % (eid, req.next_tabindex(), html_escape(dumps(eid))))
+          % (eid, req.next_tabindex(), xml_escape(dumps(eid))))
         w(u'<option value="">%s</option>' % _('select a relation'))
         for i18nrtype, rschema, target in srels_by_cat:
             # more entities to link to
@@ -551,10 +551,10 @@
         ctx = {'action' : self.build_url('edit'),
                'error': self.error_message(),
                'progress': _('validating...'),
-               'url': html_escape(req.url()),
+               'url': xml_escape(req.url()),
                'formid': self.id,
-               'redirectvid': html_escape(form.get('__redirectvid', 'list')),
-               'redirectrql': html_escape(form.get('__redirectrql', self.rset.printable_rql())),
+               'redirectvid': xml_escape(form.get('__redirectvid', 'list')),
+               'redirectrql': xml_escape(form.get('__redirectrql', self.rset.printable_rql())),
                'attrheaders': u'\n'.join(attrheaders),
                'lines': u'\n'.join(self.edit_form(ent) for ent in self.rset.entities()),
                'okvalue': _('button_ok').capitalize(),
@@ -583,7 +583,7 @@
         wdg = entity.get_widget
         wdgfactories = [wdg(rschema, x) for rschema, _, x in entity.relations_by_category('primary', 'add')
                         if rschema.type != 'eid'] # XXX both (add, delete)
-        seid = html_escape(dumps(eid))
+        seid = xml_escape(dumps(eid))
         for wobj in wdgfactories:
             if isinstance(wobj, ComboBoxWidget):
                 wobj.attrs['onchange'] = "setCheckboxesState2('eid', %s, 'checked')" % seid
--- a/web/views/basetemplates.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/basetemplates.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.vregistry import objectify_selector
 from cubicweb.selectors import match_kwargs
@@ -31,14 +31,14 @@
     def template_header(self, content_type, view=None, page_title='', additional_headers=()):
         w = self.whead
         # explictly close the <base> tag to avoid IE 6 bugs while browsing DOM
-        w(u'<base href="%s"></base>' % html_escape(self.req.base_url()))
+        w(u'<base href="%s"></base>' % xml_escape(self.req.base_url()))
         w(u'<meta http-equiv="content-type" content="%s; charset=%s"/>\n'
           % (content_type, self.req.encoding))
         w(NOINDEX)
         w(NOFOLLOW)
         w(u'\n'.join(additional_headers) + u'\n')
         self.wview('htmlheader', rset=self.rset)
-        w(u'<title>%s</title>\n' % html_escape(page_title))
+        w(u'<title>%s</title>\n' % xml_escape(page_title))
 
 
 class LogInTemplate(LogInOutTemplate):
@@ -60,7 +60,7 @@
         if self.config['anonymous-user']:
             indexurl = self.build_url('view', vid='index', __message=msg)
             w(u'<p><a href="%s">%s</a><p>' % (
-                html_escape(indexurl),
+                xml_escape(indexurl),
                 self.req._('go back to the index page')))
 
 @objectify_selector
@@ -110,7 +110,7 @@
         w(u'<div id="pageContent">\n')
         vtitle = self.req.form.get('vtitle')
         if vtitle:
-            w(u'<h1 class="vtitle">%s</h1>\n' % html_escape(vtitle))
+            w(u'<h1 class="vtitle">%s</h1>\n' % xml_escape(vtitle))
         # display entity type restriction component
         etypefilter = self.vreg.select_component('etypenavigation',
                                                  self.req, self.rset)
@@ -137,13 +137,13 @@
         w = self.whead
         lang = self.req.lang
         self.write_doctype()
-        w(u'<base href="%s" />' % html_escape(self.req.base_url()))
+        w(u'<base href="%s" />' % xml_escape(self.req.base_url()))
         w(u'<meta http-equiv="content-type" content="%s; charset=%s"/>\n'
           % (content_type, self.req.encoding))
         w(u'\n'.join(additional_headers) + u'\n')
         self.wview('htmlheader', rset=self.rset)
         if page_title:
-            w(u'<title>%s</title>\n' % html_escape(page_title))
+            w(u'<title>%s</title>\n' % xml_escape(page_title))
 
     def template_body_header(self, view):
         w = self.w
@@ -210,7 +210,7 @@
           % (content_type, self.req.encoding))
         w(u'\n'.join(additional_headers))
         self.wview('htmlheader', rset=self.rset)
-        w(u'<title>%s</title>\n' % html_escape(page_title))
+        w(u'<title>%s</title>\n' % xml_escape(page_title))
         self.w(u'<body>\n')
 
     def template_footer(self, view=None):
@@ -232,7 +232,7 @@
         whead(u'\n'.join(additional_headers) + u'\n')
         self.wview('htmlheader', rset=self.rset)
         w = self.w
-        w(u'<title>%s</title>\n' % html_escape(page_title))
+        w(u'<title>%s</title>\n' % xml_escape(page_title))
         w(u'<body>\n')
         w(u'<div id="page">')
         w(u'<table width="100%" height="100%" border="0"><tr>\n')
@@ -250,7 +250,7 @@
         w(u'<div id="pageContent">\n')
         vtitle = self.req.form.get('vtitle')
         if vtitle:
-            w(u'<h1 class="vtitle">%s</h1>' % html_escape(vtitle))
+            w(u'<h1 class="vtitle">%s</h1>' % xml_escape(vtitle))
 
     def topleft_header(self):
         self.w(u'<table id="header"><tr>\n')
@@ -296,7 +296,7 @@
         if urlgetter is not None:
             url = urlgetter.feed_url()
             self.whead(u'<link rel="alternate" type="application/rss+xml" title="RSS feed" href="%s"/>\n'
-                       %  html_escape(url))
+                       %  xml_escape(url))
 
     def pageid(self):
         req = self.req
@@ -452,7 +452,7 @@
     def login_form(self, id):
         _ = self.req._
         self.w(u'<form method="post" action="%s" id="login_form">\n'
-               % html_escape(login_form_url(self.config, self.req)))
+               % xml_escape(login_form_url(self.config, self.req)))
         self.w(u'<table>\n')
         self.w(u'<tr>\n')
         msg = (self.config['allow-email-login'] and _('login or email')) or _('login')
--- a/web/views/baseviews.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/baseviews.py	Tue Jul 07 13:26:44 2009 +0200
@@ -17,7 +17,7 @@
 
 from rql import nodes
 
-from logilab.mtconverter import TransformError, html_escape, xml_escape
+from logilab.mtconverter import TransformError, xml_escape, xml_escape
 
 from cubicweb import NoSelectableObject
 from cubicweb.selectors import yes, empty_rset
@@ -121,8 +121,8 @@
         """the one line view for an entity: linked text view
         """
         entity = self.entity(row, col)
-        self.w(u'<a href="%s">' % html_escape(entity.absolute_url()))
-        self.w(html_escape(self.view('text', self.rset, row=row, col=col)))
+        self.w(u'<a href="%s">' % xml_escape(entity.absolute_url()))
+        self.w(xml_escape(self.view('text', self.rset, row=row, col=col)))
         self.w(u'</a>')
 
 
@@ -205,8 +205,8 @@
         entity = self.entity(row, col)
         desc = cut(entity.dc_description(), 50)
         self.w(u'<a href="%s" title="%s">' % (
-            html_escape(entity.absolute_url()), html_escape(desc)))
-        self.w(html_escape(self.view('textincontext', self.rset,
+            xml_escape(entity.absolute_url()), xml_escape(desc)))
+        self.w(xml_escape(self.view('textincontext', self.rset,
                                      row=row, col=col)))
         self.w(u'</a>')
 
@@ -218,8 +218,8 @@
         entity = self.entity(row, col)
         desc = cut(entity.dc_description(), 50)
         self.w(u'<a href="%s" title="%s">' % (
-            html_escape(entity.absolute_url()), html_escape(desc)))
-        self.w(html_escape(self.view('textoutofcontext', self.rset,
+            xml_escape(entity.absolute_url()), xml_escape(desc)))
+        self.w(xml_escape(self.view('textoutofcontext', self.rset,
                                      row=row, col=col)))
         self.w(u'</a>')
 
--- a/web/views/bookmark.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/bookmark.py	Tue Jul 07 13:26:44 2009 +0200
@@ -7,7 +7,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import Unauthorized
 from cubicweb.selectors import implements
@@ -35,12 +35,12 @@
         entity = self.complete_entity(row, col)
         self.w(u'&nbsp;')
         self.w(u"<span class='title'><b>")
-        self.w(u"%s : %s" % (self.req._('Bookmark'), html_escape(entity.title)))
+        self.w(u"%s : %s" % (self.req._('Bookmark'), xml_escape(entity.title)))
         self.w(u"</b></span>")
         self.w(u'<br/><br/><div class="content"><a href="%s">' % (
-            html_escape(entity.actual_url())))
+            xml_escape(entity.actual_url())))
         self.w(u'</a>')
-        self.w(u'<p>%s%s</p>' % (self.req._('Used by:'), ', '.join(html_escape(u.name())
+        self.w(u'<p>%s%s</p>' % (self.req._('Used by:'), ', '.join(xml_escape(u.name())
                                                                    for u in entity.bookmarked_by)))
         self.w(u'</div>')
 
@@ -75,8 +75,8 @@
         else:
             dlink = None
         for bookmark in rset.entities():
-            label = '<a href="%s">%s</a>' % (html_escape(bookmark.action_url()),
-                                             html_escape(bookmark.title))
+            label = '<a href="%s">%s</a>' % (xml_escape(bookmark.action_url()),
+                                             xml_escape(bookmark.title))
             if candelete:
                 dlink = u'[<a href="javascript:removeBookmark(%s)" title="%s">-</a>]' % (
                     bookmark.eid, _('delete this bookmark'))
--- a/web/views/boxes.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/boxes.py	Tue Jul 07 13:26:44 2009 +0200
@@ -16,7 +16,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import match_user_groups, non_final_entity
 from cubicweb.view import EntityView
@@ -191,7 +191,7 @@
         else:
             rql = ''
         form = self.formdef % (req.build_url('view'), req.next_tabindex(),
-                               html_escape(rql), req.next_tabindex())
+                               xml_escape(rql), req.next_tabindex())
         title = u"""<span onclick="javascript: toggleVisibility('rqlinput')">%s</span>""" % req._(self.title)
         box = BoxWidget(title, self.id, _class="searchBoxFrame", islist=False, escape=False)
         box.append(BoxHtml(form))
--- a/web/views/calendar.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/calendar.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 
 from datetime import datetime, date, timedelta
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.interfaces import ICalendarable
 from cubicweb.selectors import implements
@@ -82,7 +82,7 @@
         for i in range(len(self.rset.rows)):
             task = self.complete_entity(i)
             self.w(u'<div class="vevent">')
-            self.w(u'<h3 class="summary">%s</h3>' % html_escape(task.dc_title()))
+            self.w(u'<h3 class="summary">%s</h3>' % xml_escape(task.dc_title()))
             self.w(u'<div class="description">%s</div>'
                    % task.dc_description(format='text/html'))
             if task.start:
@@ -244,8 +244,8 @@
         prevlink, nextlink = self._prevnext_links(curdate)  # XXX
         self.w(u'<tr><th><a href="%s">&lt;&lt;</a></th><th colspan="5">%s %s</th>'
                u'<th><a href="%s">&gt;&gt;</a></th></tr>' %
-               (html_escape(prevlink), self.req._(curdate.strftime('%B').lower()),
-                curdate.year, html_escape(nextlink)))
+               (xml_escape(prevlink), self.req._(curdate.strftime('%B').lower()),
+                curdate.year, xml_escape(nextlink)))
 
         # output header
         self.w(u'<tr><th>%s</th><th>%s</th><th>%s</th><th>%s</th><th>%s</th><th>%s</th><th>%s</th></tr>' %
@@ -292,7 +292,7 @@
                                  __redirectparams=self.req.build_url_params(year=curdate.year, month=curmonth),
                                  __redirectvid=self.id
                                  )
-            self.w(u'<div class="cmd"><a href="%s">%s</a></div>' % (html_escape(url), self.req._(u'add')))
+            self.w(u'<div class="cmd"><a href="%s">%s</a></div>' % (xml_escape(url), self.req._(u'add')))
             self.w(u'&nbsp;')
         self.w(u'</div>')
         self.w(u'<div class="cellContent">')
@@ -307,7 +307,7 @@
                                         __redirectvid=self.id
                                         )
 
-                self.w(u'<div class="tooltip" ondblclick="stopPropagation(event); window.location.assign(\'%s\'); return false;">' % html_escape(url))
+                self.w(u'<div class="tooltip" ondblclick="stopPropagation(event); window.location.assign(\'%s\'); return false;">' % xml_escape(url))
                 task.view('tooltip', w=self.w )
                 self.w(u'</div>')
             else:
@@ -388,9 +388,9 @@
         self.w(u'<tr><th class="transparent"></th>')
         self.w(u'<th><a href="%s">&lt;&lt;</a></th><th colspan="5">%s %s %s</th>'
                u'<th><a href="%s">&gt;&gt;</a></th></tr>' %
-               (html_escape(prevlink), first_day_of_week.year,
+               (xml_escape(prevlink), first_day_of_week.year,
                 self.req._(u'week'), first_day_of_week.isocalendar()[1],
-                html_escape(nextlink)))
+                xml_escape(nextlink)))
 
         # output header
         self.w(u'<tr>')
@@ -429,7 +429,7 @@
                                      __redirectvid=self.id
                                      )
                 extra = ' ondblclick="addCalendarItem(event, hmin=8, hmax=20, year=%s, month=%s, day=%s, duration=2, baseurl=\'%s\')"' % (
-                    wdate.year, wdate.month, wdate.day, html_escape(url))
+                    wdate.year, wdate.month, wdate.day, xml_escape(url))
             else:
                 extra = ""
             self.w(u'<div class="columndiv"%s>'% extra)
@@ -501,7 +501,7 @@
                                     __redirectvid=self.id
                                  )
 
-            self.w(u'<div class="tooltip" ondblclick="stopPropagation(event); window.location.assign(\'%s\'); return false;">' % html_escape(url))
+            self.w(u'<div class="tooltip" ondblclick="stopPropagation(event); window.location.assign(\'%s\'); return false;">' % xml_escape(url))
             task.view('tooltip', w=self.w)
             self.w(u'</div>')
             if task.start is None:
--- a/web/views/cwproperties.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/cwproperties.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from logilab.common.decorators import cached
 
@@ -154,7 +154,7 @@
                 docmsgid = '%s_%s_description' % (group, oid)
                 doc = _(docmsgid)
                 if doc != docmsgid:
-                    w(u'<div class="helper">%s</div>' % html_escape(doc).capitalize())
+                    w(u'<div class="helper">%s</div>' % xml_escape(doc).capitalize())
                 w(u'</div>')
                 w(u'<fieldset id="field_%(oid)s_%(group)s" class="%(group)s preferences hidden">'
                   % {'oid':oid, 'group':group})
--- a/web/views/cwuser.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/cwuser.py	Tue Jul 07 13:26:44 2009 +0200
@@ -7,7 +7,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import one_line_rset, implements, match_user_groups
 from cubicweb.view import EntityView
@@ -52,14 +52,14 @@
                       <foaf:primaryTopic rdf:resource="%s"/>
                    </foaf:PersonalProfileDocument>''' % (entity.absolute_url(), entity.absolute_url()))
         self.w(u'<foaf:Person rdf:ID="%s">\n' % entity.eid)
-        self.w(u'<foaf:name>%s</foaf:name>\n' % html_escape(entity.dc_long_title()))
+        self.w(u'<foaf:name>%s</foaf:name>\n' % xml_escape(entity.dc_long_title()))
         if entity.surname:
             self.w(u'<foaf:family_name>%s</foaf:family_name>\n'
-                   % html_escape(entity.surname))
+                   % xml_escape(entity.surname))
         if entity.firstname:
             self.w(u'<foaf:givenname>%s</foaf:givenname>\n'
-                   % html_escape(entity.firstname))
+                   % xml_escape(entity.firstname))
         emailaddr = entity.get_email()
         if emailaddr:
-            self.w(u'<foaf:mbox>%s</foaf:mbox>\n' % html_escape(emailaddr))
+            self.w(u'<foaf:mbox>%s</foaf:mbox>\n' % xml_escape(emailaddr))
         self.w(u'</foaf:Person>\n')
--- a/web/views/debug.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/debug.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 
 from time import strftime, localtime
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import none_rset, match_user_groups
 from cubicweb.view import StartupView
@@ -21,7 +21,7 @@
         w(u'<ul>')
         for key in sorted(dict):
             w(u'<li><span class="label">%s</span>: <span>%s</span></li>' % (
-                html_escape(str(key)), html_escape(repr(dict[key]))))
+                xml_escape(str(key)), xml_escape(repr(dict[key]))))
         w(u'</ul>')
 
 
@@ -38,7 +38,7 @@
         if sessions:
             w(u'<ul>')
             for sid, session in sessions:
-                w(u'<li>%s  (last usage: %s)<br/>' % (html_escape(str(session)),
+                w(u'<li>%s  (last usage: %s)<br/>' % (xml_escape(str(session)),
                                                       strftime('%Y-%m-%d %H:%M:%S',
                                                                localtime(session.timestamp))))
                 dict_to_html(w, session.data)
--- a/web/views/editforms.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/editforms.py	Tue Jul 07 13:26:44 2009 +0200
@@ -13,7 +13,7 @@
 
 from simplejson import dumps
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import (match_kwargs, one_line_rset, non_final_entity,
                                 specified_etype_implements, yes)
@@ -38,7 +38,7 @@
     entities
     """
     js = u"javascript: togglePendingDelete('%s', %s);" % (
-        nodeid, html_escape(dumps(eid)))
+        nodeid, xml_escape(dumps(eid)))
     return u'[<a class="handle" href="%s" id="handle%s">%s</a>]' % (
         js, nodeid, label)
 
@@ -108,8 +108,8 @@
                 return
         else:
             rset = entity.related(rtype, role)
-            # XXX html_escape but that depends of the actual vid
-            value = html_escape(self.view(vid, rset, 'null') or default)
+            # XXX xml_escape but that depends of the actual vid
+            value = xml_escape(self.view(vid, rset, 'null') or default)
         # XXX consider local roles ?
         if role == 'subject'and not rschema.has_perm(self.req, 'add',
                                                     fromeid=entity.eid):
--- a/web/views/editviews.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/editviews.py	Tue Jul 07 13:26:44 2009 +0200
@@ -11,7 +11,7 @@
 from simplejson import dumps
 
 from logilab.common.decorators import cached
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import typed_eid
 from cubicweb.view import EntityView
@@ -64,10 +64,10 @@
         erset = entity.as_rset()
         if self.req.match_search_state(erset):
             self.w(u'<a href="%s" title="%s">%s</a>&nbsp;<a href="%s" title="%s">[...]</a>' % (
-                html_escape(linksearch_select_url(self.req, erset)),
+                xml_escape(linksearch_select_url(self.req, erset)),
                 self.req._('select this entity'),
-                html_escape(entity.view('textoutofcontext')),
-                html_escape(entity.absolute_url(vid='primary')),
+                xml_escape(entity.view('textoutofcontext')),
+                xml_escape(entity.absolute_url(vid='primary')),
                 self.req._('view detail for this entity')))
         else:
             entity.view('outofcontext', w=self.w)
@@ -111,7 +111,7 @@
   </select>
 </div>
 """ % (hidden and 'hidden' or '', divid, selectid,
-       html_escape(dumps(entity.eid)), is_cell and 'true' or 'null', relname,
+       xml_escape(dumps(entity.eid)), is_cell and 'true' or 'null', relname,
        '\n'.join(options))
 
     def _get_select_options(self, entity, rschema, target):
@@ -127,13 +127,13 @@
         for eview, reid in form.form_field_vocabulary(field, limit):
             if reid is None:
                 options.append('<option class="separator">-- %s --</option>'
-                               % html_escape(eview))
+                               % xml_escape(eview))
             else:
                 optionid = relation_id(eid, rtype, target, reid)
                 if optionid not in pending_inserts:
                     # prefix option's id with letters to make valid XHTML wise
                     options.append('<option id="id%s" value="%s">%s</option>' %
-                                   (optionid, reid, html_escape(eview)))
+                                   (optionid, reid, xml_escape(eview)))
         return options
 
     def _get_search_options(self, entity, rschema, target, targettypes):
@@ -146,7 +146,7 @@
                                  __mode=mode)
             options.append((eschema.display_name(self.req),
                             '<option value="%s">%s %s</option>' % (
-                html_escape(url), _('Search for'), eschema.display_name(self.req))))
+                xml_escape(url), _('Search for'), eschema.display_name(self.req))))
         return [o for l, o in sorted(options)]
 
     def _get_basket_options(self, entity, rschema, target, targettypes):
@@ -157,7 +157,7 @@
                                                             target, targettypes):
             optionid = relation_id(entity.eid, rtype, target, basketeid)
             options.append('<option id="%s" value="%s">%s %s</option>' % (
-                optionid, basketeid, _('link to each item in'), html_escape(basketname)))
+                optionid, basketeid, _('link to each item in'), xml_escape(basketname)))
         return options
 
     def _get_basket_links(self, ueid, target, targettypes):
--- a/web/views/emailaddress.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/emailaddress.py	Tue Jul 07 13:26:44 2009 +0200
@@ -7,7 +7,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.schema import display_name
 from cubicweb.selectors import implements
@@ -80,9 +80,9 @@
         if entity.reverse_primary_email:
             self.w(u'<b>')
         if entity.alias:
-            self.w(u'%s &lt;' % html_escape(entity.alias))
-        self.w('<a href="%s">%s</a>' % (html_escape(entity.absolute_url()),
-                                        html_escape(entity.display_address())))
+            self.w(u'%s &lt;' % xml_escape(entity.alias))
+        self.w('<a href="%s">%s</a>' % (xml_escape(entity.absolute_url()),
+                                        xml_escape(entity.display_address())))
         if entity.alias:
             self.w(u'&gt;\n')
         if entity.reverse_primary_email:
@@ -109,8 +109,8 @@
             mailto = "mailto:%s <%s>" % (alias, entity.display_address())
         else:
             mailto = "mailto:%s" % entity.display_address()
-        self.w(u'<a href="%s">%s</a>' % (html_escape(mailto),
-                                         html_escape(entity.display_address())))
+        self.w(u'<a href="%s">%s</a>' % (xml_escape(mailto),
+                                         xml_escape(entity.display_address())))
         if entity.reverse_primary_email:
             self.w(u'</b>')
 
--- a/web/views/facets.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/facets.py	Tue Jul 07 13:26:44 2009 +0200
@@ -9,7 +9,7 @@
 
 from simplejson import dumps
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.vregistry import objectify_selector
 from cubicweb.selectors import (non_final_entity, two_lines_rset,
@@ -85,7 +85,7 @@
             self.displayBookmarkLink(rset)
             w = self.w
             w(u'<form method="post" id="%sForm" cubicweb:facetargs="%s" action="">'  % (
-                divid, html_escape(dumps([divid, vid, paginate, self.facetargs()]))))
+                divid, xml_escape(dumps([divid, vid, paginate, self.facetargs()]))))
             w(u'<fieldset>')
             hiddens = {'facets': ','.join(wdg.facet.id for wdg in widgets),
                        'baserql': baserql}
@@ -110,8 +110,8 @@
             bk_add_url = self.build_url('add/Bookmark', path=bk_path, title=bk_title, __linkto=linkto)
             bk_base_url = self.build_url('add/Bookmark', title=bk_title, __linkto=linkto)
             bk_link = u'<a cubicweb:target="%s" id="facetBkLink" href="%s">%s</a>' % (
-                    html_escape(bk_base_url),
-                    html_escape(bk_add_url),
+                    xml_escape(bk_base_url),
+                    xml_escape(bk_add_url),
                     self.req._('bookmark this search'))
             self.w(self.bkLinkBox_template % bk_link)
 
--- a/web/views/formrenderers.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/formrenderers.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 
 from logilab.common import dictattr
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from simplejson import dumps
 
@@ -144,17 +144,17 @@
         else:
             action = form.action
         tag = ('<form action="%s" method="post" enctype="%s"' % (
-            html_escape(action or '#'), enctype))
+            xml_escape(action or '#'), enctype))
         if form.domid:
             tag += ' id="%s"' % form.domid
         if form.onsubmit:
-            tag += ' onsubmit="%s"' % html_escape(form.onsubmit % dictattr(form))
+            tag += ' onsubmit="%s"' % xml_escape(form.onsubmit % dictattr(form))
         if form.cssstyle:
-            tag += ' style="%s"' % html_escape(form.cssstyle)
+            tag += ' style="%s"' % xml_escape(form.cssstyle)
         if form.cssclass:
-            tag += ' class="%s"' % html_escape(form.cssclass)
+            tag += ' class="%s"' % xml_escape(form.cssclass)
         if form.cwtarget:
-            tag += ' cubicweb:target="%s"' % html_escape(form.cwtarget)
+            tag += ' cubicweb:target="%s"' % xml_escape(form.cwtarget)
         return tag + '>'
 
     def display_field(self, form, field):
@@ -298,7 +298,7 @@
             entity = form.edited_entity
             values = form.form_previous_values
             qeid = eid_param('eid', entity.eid)
-            cbsetstate = "setCheckboxesState2('eid', %s, 'checked')" % html_escape(dumps(entity.eid))
+            cbsetstate = "setCheckboxesState2('eid', %s, 'checked')" % xml_escape(dumps(entity.eid))
             w(u'<tr class="%s">' % (entity.row % 2 and u'even' or u'odd'))
             # XXX turn this into a widget used on the eid field
             w(u'<td>%s</td>' % checkbox('eid', entity.eid, checked=qeid in values))
@@ -411,7 +411,7 @@
                 w(u'<a class="handle" title="%s" href="%s">[x]</a>' %
                   (_('cancel this insert'), row[2]))
                 w(u'<a id="a%s" class="editionPending" href="%s">%s</a>'
-                  % (row[1], row[4], html_escape(row[5])))
+                  % (row[1], row[4], xml_escape(row[5])))
                 w(u'</td>')
                 w(u'</tr>')
         w(u'<tr id="relationSelectorRow_%s" class="separator">' % eid)
@@ -419,7 +419,7 @@
         w(u'<span>%s</span>' % _('add relation'))
         w(u'<select id="relationSelector_%s" tabindex="%s" '
           'onchange="javascript:showMatchingSelect(this.options[this.selectedIndex].value,%s);">'
-          % (eid, req.next_tabindex(), html_escape(dumps(eid))))
+          % (eid, req.next_tabindex(), xml_escape(dumps(eid))))
         w(u'<option value="">%s</option>' % _('select a relation'))
         for i18nrtype, rschema, target in srels_by_cat:
             # more entities to link to
--- a/web/views/ibreadcrumbs.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/ibreadcrumbs.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 # don't use AnyEntity since this may cause bug with isinstance() due to reloading
 from cubicweb.interfaces import IBreadCrumbs
@@ -21,7 +21,7 @@
 
 def bc_title(entity):
     textsize = entity.req.property_value('navigation.short-line-size')
-    return html_escape(cut(entity.dc_title(), textsize))
+    return xml_escape(cut(entity.dc_title(), textsize))
 
 
 class BreadCrumbEntityVComponent(EntityVComponent):
@@ -64,7 +64,7 @@
             url, title = part
             textsize = self.req.property_value('navigation.short-line-size')
             self.w(u'<a href="%s">%s</a>' % (
-                html_escape(url), html_escape(cut(title, textsize))))
+                xml_escape(url), xml_escape(cut(title, textsize))))
         else:
             textsize = self.req.property_value('navigation.short-line-size')
             self.w(cut(unicode(part), textsize))
@@ -81,6 +81,6 @@
 
     def cell_call(self, row, col):
         entity = self.entity(row, col)
-        desc = html_escape(cut(entity.dc_description(), 50))
+        desc = xml_escape(cut(entity.dc_description(), 50))
         self.w(u'<a href="%s" title="%s">%s</a>' % (
-            html_escape(entity.absolute_url()), desc, bc_title(entity)))
+            xml_escape(entity.absolute_url()), desc, bc_title(entity)))
--- a/web/views/idownloadable.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/idownloadable.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import BINARY_ENCODINGS, TransformError, html_escape
+from logilab.mtconverter import BINARY_ENCODINGS, TransformError, xml_escape
 
 from cubicweb.view import EntityView
 from cubicweb.selectors import (one_line_rset, score_entity,
@@ -31,12 +31,12 @@
     if title is None:
         title = req._('download')
     w(u'<div class="sideBoxTitle downloadBoxTitle"><span>%s</span></div>'
-      % html_escape(title))
+      % xml_escape(title))
     w(u'<div class="sideBox downloadBox"><div class="sideBoxBody">')
     w(u'<a href="%s"><img src="%s" alt="%s"/> %s</a>'
-      % (html_escape(entity.download_url()),
+      % (xml_escape(entity.download_url()),
          req.external_resource('DOWNLOAD_ICON'),
-         _('download icon'), html_escape(label or entity.dc_title())))
+         _('download icon'), xml_escape(label or entity.dc_title())))
     w(u'</div>')
     w(u'</div>\n</div>\n')
 
@@ -92,8 +92,8 @@
 
     def cell_call(self, row, col, title=None, **kwargs):
         entity = self.entity(row, col)
-        url = html_escape(entity.download_url())
-        self.w(u'<a href="%s">%s</a>' % (url, html_escape(title or entity.dc_title())))
+        url = xml_escape(entity.download_url())
+        self.w(u'<a href="%s">%s</a>' % (url, xml_escape(title or entity.dc_title())))
 
 
 class IDownloadablePrimaryView(primary.PrimaryView):
@@ -124,9 +124,9 @@
     def cell_call(self, row, col, title=None, **kwargs):
         """the secondary view is a link to download the file"""
         entity = self.entity(row, col)
-        url = html_escape(entity.absolute_url())
-        name = html_escape(title or entity.download_file_name())
-        durl = html_escape(entity.download_url())
+        url = xml_escape(entity.absolute_url())
+        name = xml_escape(title or entity.download_file_name())
+        durl = xml_escape(entity.download_url())
         self.w(u'<a href="%s">%s</a> [<a href="%s">%s</a>]' %
                (url, name, durl, self.req._('download')))
 
@@ -147,6 +147,6 @@
     def cell_call(self, row, col):
         entity = self.entity(row, col)
         #if entity.data_format.startswith('image/'):
-        self.w(u'<img src="%s" alt="%s"/>' % (html_escape(entity.download_url()),
-                                              html_escape(entity.download_file_name())))
+        self.w(u'<img src="%s" alt="%s"/>' % (xml_escape(entity.download_url()),
+                                              xml_escape(entity.download_file_name())))
 
--- a/web/views/iprogress.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/iprogress.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import implements
 from cubicweb.interfaces import IProgress, IMileStone
@@ -99,7 +99,7 @@
                 colname = meth(ecls)
             else:
                 colname = _(column)
-            self.w(u'<th>%s</th>' % html_escape(colname))
+            self.w(u'<th>%s</th>' % xml_escape(colname))
         self.w(u'</tr></thead>\n')
 
 
@@ -117,7 +117,7 @@
 
     def build_state_cell(self, entity):
         """``state`` column cell renderer"""
-        return html_escape(self.req._(entity.state))
+        return xml_escape(self.req._(entity.state))
 
     def build_eta_date_cell(self, entity):
         """``eta_date`` column cell renderer"""
--- a/web/views/isioc.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/isioc.py	Tue Jul 07 13:26:44 2009 +0200
@@ -7,7 +7,7 @@
 """
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.view import EntityView
 from cubicweb.selectors import implements
@@ -45,11 +45,11 @@
 
     def cell_call(self, row, col):
         entity = self.complete_entity(row, col)
-        sioct = html_escape(entity.isioc_type())
+        sioct = xml_escape(entity.isioc_type())
         self.w(u'<sioc:%s rdf:about="%s">\n'
-               % (sioct, html_escape(entity.absolute_url())))
+               % (sioct, xml_escape(entity.absolute_url())))
         self.w(u'<dcterms:title>%s</dcterms:title>'
-               % html_escape(entity.dc_title()))
+               % xml_escape(entity.dc_title()))
         self.w(u'<dcterms:created>%s</dcterms:created>'
                % entity.creation_date)
         self.w(u'<dcterms:modified>%s</dcterms:modified>'
@@ -66,25 +66,25 @@
 
     def cell_call(self, row, col):
         entity = self.complete_entity(row, col)
-        sioct = html_escape(entity.isioc_type())
+        sioct = xml_escape(entity.isioc_type())
         self.w(u'<sioc:%s rdf:about="%s">\n'
-               %  (sioct, html_escape(entity.absolute_url())))
+               %  (sioct, xml_escape(entity.absolute_url())))
         self.w(u'<dcterms:title>%s</dcterms:title>'
-               % html_escape(entity.dc_title()))
+               % xml_escape(entity.dc_title()))
         self.w(u'<dcterms:created>%s</dcterms:created>'
                % entity.creation_date)
         self.w(u'<dcterms:modified>%s</dcterms:modified>'
                % entity.modification_date)
         if entity.content:
             self.w(u'<sioc:content>%s</sioc:content>'''
-                   % html_escape(entity.isioc_content()))
+                   % xml_escape(entity.isioc_content()))
         if entity.related('entry_of'):
             self.w(u'<sioc:has_container rdf:resource="%s"/>\n'
-                   % html_escape(entity.isioc_container().absolute_url()))
+                   % xml_escape(entity.isioc_container().absolute_url()))
         if entity.creator:
             self.w(u'<sioc:has_creator>\n')
             self.w(u'<sioc:User rdf:about="%s">\n'
-                   % html_escape(entity.creator.absolute_url()))
+                   % xml_escape(entity.creator.absolute_url()))
             self.w(entity.creator.view('foaf'))
             self.w(u'</sioc:User>\n')
             self.w(u'</sioc:has_creator>\n')
--- a/web/views/management.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/management.py	Tue Jul 07 13:26:44 2009 +0200
@@ -9,7 +9,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import yes, none_rset, match_user_groups, authenticated_user
 from cubicweb.view import AnyRsetView, StartupView, EntityView
@@ -84,8 +84,8 @@
         _ = self.req._
         w(u'<h1><span class="etype">%s</span> <a href="%s">%s</a></h1>'
           % (entity.dc_type().capitalize(),
-             html_escape(entity.absolute_url()),
-             html_escape(entity.dc_title())))
+             xml_escape(entity.absolute_url()),
+             xml_escape(entity.dc_title())))
         # first show permissions defined by the schema
         self.w('<h2>%s</h2>' % _('schema\'s permissions definitions'))
         self.schema_definition(entity.e_schema)
@@ -141,7 +141,7 @@
                 # and this will replace %s by %25s
                 delurl += '&__delete=%s:require_permission:%%s' % entity.eid
                 dellinktempl = u'[<a href="%s" title="%s">-</a>]&nbsp;' % (
-                    html_escape(delurl), _('delete this permission'))
+                    xml_escape(delurl), _('delete this permission'))
             else:
                 dellinktempl = None
             w(u'<table class="schemaInfo">')
@@ -218,14 +218,14 @@
         if excinfo is not None and self.config['print-traceback']:
             if exclass is None:
                 w(u'<div class="tb">%s</div>'
-                       % html_escape(ex).replace("\n","<br />"))
+                       % xml_escape(ex).replace("\n","<br />"))
             else:
                 w(u'<div class="tb">%s: %s</div>'
-                       % (exclass, html_escape(ex).replace("\n","<br />")))
+                       % (exclass, xml_escape(ex).replace("\n","<br />")))
             w(u'<hr />')
             w(u'<div class="tb">%s</div>' % html_traceback(excinfo, ex, ''))
         else:
-            w(u'<div class="tb">%s</div>' % (html_escape(ex).replace("\n","<br />")))
+            w(u'<div class="tb">%s</div>' % (xml_escape(ex).replace("\n","<br />")))
         # if excinfo is not None, it's probably not a bug
         if excinfo is None:
             return
@@ -272,7 +272,7 @@
             return unicode(repr(ex), encoding, 'replace')
 
 def text_error_description(ex, excinfo, req, eversion, cubes):
-    binfo = rest_traceback(excinfo, html_escape(ex))
+    binfo = rest_traceback(excinfo, xml_escape(ex))
     binfo += u'\n\n:URL: %s\n' % req.url()
     if not '__bugreporting' in req.form:
         binfo += u'\n:form params:\n'
@@ -322,7 +322,7 @@
         self.w(u'<table border="1">')
         for attr in env.keys():
             self.w(u'<tr><th align="left">%s</th><td>%s</td></tr>'
-                   % (attr, html_escape(env[attr])))
+                   % (attr, xml_escape(env[attr])))
         self.w(u'</table>')
         self.w(u'<h3>%s</h3>' % _('Request'))
         self.w(u'<table border="1">')
@@ -331,7 +331,7 @@
                      'search_state', 'the_request', 'unparsed_uri', 'uri'):
             val = getattr(req, attr)
             self.w(u'<tr><th align="left">%s</th><td>%s</td></tr>'
-                   % (attr, html_escape(val)))
+                   % (attr, xml_escape(val)))
         self.w(u'</table>')
         server = req.server
         self.w(u'<h3>%s</h3>' % _('Server'))
@@ -341,6 +341,6 @@
             if attr.startswith('_') or callable(val):
                 continue
             self.w(u'<tr><th align="left">%s</th><td>%s</td></tr>'
-                   % (attr, html_escape(val)))
+                   % (attr, xml_escape(val)))
         self.w(u'</table>')
 
--- a/web/views/navigation.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/navigation.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 
 from rql.nodes import VariableRef, Constant
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 from logilab.common.deprecation import obsolete
 
 from cubicweb.interfaces import IPrevNext
@@ -135,7 +135,7 @@
     def format_link_content(self, startstr, stopstr):
         text = u'%s - %s' % (startstr.lower()[:self.nb_chars],
                              stopstr.lower()[:self.nb_chars])
-        return html_escape(text)
+        return xml_escape(text)
 
     def write_links(self, params, blocklist):
         self.w(u'<div class="pagination">')
@@ -158,7 +158,7 @@
         nav.clean_params(params)
         # make a link to see them all
         if show_all_option:
-            url = html_escape(self.build_url(__force_display=1, **params))
+            url = xml_escape(self.build_url(__force_display=1, **params))
             w(u'<p><a href="%s">%s</a></p>\n'
               % (url, req._('show %s results') % len(rset)))
         rset.limit(offset=start, limit=stop-start, inplace=True)
@@ -197,24 +197,24 @@
                 self.w(self.previous_link(previous, textsize))
                 self.w(u'</div>')
                 self.req.html_headers.add_raw('<link rel="prev" href="%s" />'
-                                              % html_escape(previous.absolute_url()))
+                                              % xml_escape(previous.absolute_url()))
             if next:
                 self.w(u'<div class="nextEntity right">')
                 self.w(self.next_link(next, textsize))
                 self.w(u'</div>')
                 self.req.html_headers.add_raw('<link rel="next" href="%s" />'
-                                              % html_escape(next.absolute_url()))
+                                              % xml_escape(next.absolute_url()))
             self.w(u'</div>')
             self.w(u'<div class="clear"></div>')
 
     def previous_link(self, previous, textsize):
         return u'<a href="%s" title="%s">&lt;&lt; %s</a>' % (
-            html_escape(previous.absolute_url()),
+            xml_escape(previous.absolute_url()),
             self.req._('i18nprevnext_previous'),
-            html_escape(cut(previous.dc_title(), textsize)))
+            xml_escape(cut(previous.dc_title(), textsize)))
 
     def next_link(self, next, textsize):
         return u'<a href="%s" title="%s">%s &gt;&gt;</a>' % (
-            html_escape(next.absolute_url()),
+            xml_escape(next.absolute_url()),
             self.req._('i18nprevnext_next'),
-            html_escape(cut(next.dc_title(), textsize)))
+            xml_escape(cut(next.dc_title(), textsize)))
--- a/web/views/old_calendar.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/old_calendar.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 
 from datetime import date, time, timedelta
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.interfaces import ICalendarViews
 from cubicweb.utils import ONEDAY, ONEWEEK, date_range, first_day, last_day, previous_month, next_month, days_in_month
@@ -46,13 +46,13 @@
         next2 = next_month(date, bigshift)
         rql = self.rset.printable_rql()
         return self.NAV_HEADER % (
-            html_escape(self.build_url(rql=rql, vid=self.id, year=prev2.year,
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=prev2.year,
                                        month=prev2.month)),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=prev1.year,
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=prev1.year,
                                        month=prev1.month)),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=next1.year,
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=next1.year,
                                        month=next1.month)),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=next2.year,
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=next2.year,
                                        month=next2.month)))
 
 
@@ -91,7 +91,7 @@
             rows.append(u'<tr>%s%s</tr>' % (WEEKNUM_CELL % day.isocalendar()[1], ''.join(current_row)))
         url = self.build_url(rql=rql, vid='calendarmonth',
                              year=first_day.year, month=first_day.month)
-        monthlink = u'<a href="%s">%s</a>' % (html_escape(url), umonth)
+        monthlink = u'<a href="%s">%s</a>' % (xml_escape(url), umonth)
         return CALENDAR(self.req) % (monthlink, '\n'.join(rows))
 
     def _mk_schedule(self, begin, end, itemvid='calendaritem'):
@@ -203,7 +203,7 @@
             umonth = u'%s&nbsp;%s' % (self.format_date(cur_month, '%B'), cur_month.year)
             url = self.build_url(rql=rql, vid=self.id,
                                  year=cur_month.year, month=cur_month.month)
-            self.w(u'<th colspan="2"><a href="%s">%s</a></th>' % (html_escape(url),
+            self.w(u'<th colspan="2"><a href="%s">%s</a></th>' % (xml_escape(url),
                                                                   umonth))
         self.w(u'</tr>')
         _ = self.req._
@@ -272,7 +272,7 @@
             umonth = self.format_date(monday, '%B %Y')
             url = self.build_url(rql=rql, vid='calendarmonth',
                                  year=monday.year, month=monday.month)
-            monthlink = '<a href="%s">%s</a>' % (html_escape(url), umonth)
+            monthlink = '<a href="%s">%s</a>' % (xml_escape(url), umonth)
             self.w(u'<tr><th colspan="3">%s %s (%s)</th></tr>' \
                   % (_('week'), monday.isocalendar()[1], monthlink))
             for day in date_range(monday, sunday):
@@ -295,10 +295,10 @@
         next2 = date + ONEWEEK * bigshift
         rql = self.rset.printable_rql()
         return self.NAV_HEADER % (
-            html_escape(self.build_url(rql=rql, vid=self.id, year=prev2.year, week=prev2.isocalendar()[1])),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=prev1.year, week=prev1.isocalendar()[1])),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=next1.year, week=next1.isocalendar()[1])),
-            html_escape(self.build_url(rql=rql, vid=self.id, year=next2.year, week=next2.isocalendar()[1])))
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=prev2.year, week=prev2.isocalendar()[1])),
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=prev1.year, week=prev1.isocalendar()[1])),
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=next1.year, week=next1.isocalendar()[1])),
+            xml_escape(self.build_url(rql=rql, vid=self.id, year=next2.year, week=next2.isocalendar()[1])))
 
 
 
@@ -326,7 +326,7 @@
             if day.weekday() == 6:
                 url = self.build_url(rql=rql, vid='ampmcalendarweek',
                                      year=day.year, week=day.isocalendar()[1])
-                weeklink = '<a href="%s">%s</a>' % (html_escape(url),
+                weeklink = '<a href="%s">%s</a>' % (xml_escape(url),
                                                     day.isocalendar()[1])
                 current_row.append(WEEKNUM_CELL % weeklink)
                 rows.append(current_row)
@@ -334,7 +334,7 @@
         current_row.extend([(NO_CELL, NO_CELL, NO_CELL)] * (6-day.weekday()))
         url = self.build_url(rql=rql, vid='ampmcalendarweek',
                              year=day.year, week=day.isocalendar()[1])
-        weeklink = '<a href="%s">%s</a>' % (html_escape(url), day.isocalendar()[1])
+        weeklink = '<a href="%s">%s</a>' % (xml_escape(url), day.isocalendar()[1])
         current_row.append(WEEKNUM_CELL % weeklink)
         rows.append(current_row)
         # build two rows for each week: am & pm
@@ -350,7 +350,7 @@
         # tigh everything together
         url = self.build_url(rql=rql, vid='ampmcalendarmonth',
                              year=first_day.year, month=first_day.month)
-        monthlink = '<a href="%s">%s</a>' % (html_escape(url), umonth)
+        monthlink = '<a href="%s">%s</a>' % (xml_escape(url), umonth)
         return CALENDAR(self.req) % (monthlink, '\n'.join(formatted_rows))
 
 
@@ -367,7 +367,7 @@
             umonth = u'%s&nbsp;%s' % (self.format_date(cur_month, '%B'), cur_month.year)
             url = self.build_url(rql=rql, vid=self.id,
                                  year=cur_month.year, month=cur_month.month)
-            self.w(u'<th colspan="3"><a href="%s">%s</a></th>' % (html_escape(url),
+            self.w(u'<th colspan="3"><a href="%s">%s</a></th>' % (xml_escape(url),
                                                                   umonth))
         self.w(u'</tr>')
         _ = self.req._
@@ -417,7 +417,7 @@
             if day.weekday() == 6:
                 url = self.build_url(rql=rql, vid='ampmcalendarweek',
                                      year=day.year, week=day.isocalendar()[1])
-                weeklink = '<a href="%s">%s</a>' % (html_escape(url),
+                weeklink = '<a href="%s">%s</a>' % (xml_escape(url),
                                                     day.isocalendar()[1])
                 current_row.append(WEEKNUM_CELL % weeklink)
                 rows.append(current_row)
@@ -425,7 +425,7 @@
         current_row.extend([(NO_CELL, NO_CELL, NO_CELL)] * (6-day.weekday()))
         url = self.build_url(rql=rql, vid='ampmcalendarweek',
                              year=day.year, week=day.isocalendar()[1])
-        weeklink = '<a href="%s">%s</a>' % (html_escape(url),
+        weeklink = '<a href="%s">%s</a>' % (xml_escape(url),
                                             day.isocalendar()[1])
         current_row.append(WEEKNUM_CELL % weeklink)
         rows.append(current_row)
@@ -442,7 +442,7 @@
         # tigh everything together
         url = self.build_url(rql=rql, vid='ampmcalendarmonth',
                              year=first_day.year, month=first_day.month)
-        monthlink = '<a href="%s">%s</a>' % (html_escape(url),
+        monthlink = '<a href="%s">%s</a>' % (xml_escape(url),
                                              umonth)
         return CALENDAR(self.req) % (monthlink, '\n'.join(formatted_rows))
 
@@ -461,7 +461,7 @@
             umonth = self.format_date(monday, '%B %Y')
             url = self.build_url(rql=rql, vid='ampmcalendarmonth',
                                  year=monday.year, month=monday.month)
-            monthlink = '<a href="%s">%s</a>' % (html_escape(url), umonth)
+            monthlink = '<a href="%s">%s</a>' % (xml_escape(url), umonth)
             w(u'<tr>%s</tr>' % (
                 WEEK_TITLE % (_('week'), monday.isocalendar()[1], monthlink)))
             w(u'<tr><th>%s</th><th>&nbsp;</th></tr>'% _(u'Date'))
--- a/web/views/plots.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/plots.py	Tue Jul 07 13:26:44 2009 +0200
@@ -13,7 +13,7 @@
 from simplejson import dumps
 
 from logilab.common import flatten
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.utils import make_uid, UStringIO, datetime2ticks
 from cubicweb.vregistry import objectify_selector
@@ -167,7 +167,7 @@
                 piechart.size(width, height)
             if self.title:
                 piechart.title(self.title)
-            self.w(u'<img src="%s" />' % html_escape(piechart.url))
+            self.w(u'<img src="%s" />' % xml_escape(piechart.url))
 
     class PieChartView(baseviews.AnyRsetView):
         id = 'piechart'
--- a/web/views/primary.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/primary.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 
 from warnings import warn
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import Unauthorized
 from cubicweb.view import EntityView
@@ -100,7 +100,7 @@
 
     def render_entity_title(self, entity):
         """default implementation return dc_title"""
-        title = html_escape(entity.dc_title())
+        title = xml_escape(entity.dc_title())
         if title:
             self.w(u'<h1><span class="etype">%s</span> %s</h1>'
                    % (entity.dc_type().capitalize(), title))
--- a/web/views/schema.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/schema.py	Tue Jul 07 13:26:44 2009 +0200
@@ -9,7 +9,7 @@
 
 from itertools import cycle
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 from yams import schema2dot as s2d
 
 from cubicweb.selectors import implements, yes
@@ -40,7 +40,7 @@
     def render_entity_title(self, entity):
         self.w(u'<h1><span class="etype">%s</span> %s</h1>'
                % (entity.dc_type().capitalize(),
-                  html_escape(entity.dc_long_title())))
+                  xml_escape(entity.dc_long_title())))
 
 
 # CWEType ######################################################################
@@ -119,8 +119,8 @@
         entity = self.entity(row, col)
         url = entity.absolute_url(vid='schemagraph')
         self.w(u'<img src="%s" alt="%s"/>' % (
-            html_escape(url),
-            html_escape(self.req._('graphical schema for %s') % entity.name)))
+            xml_escape(url),
+            xml_escape(self.req._('graphical schema for %s') % entity.name)))
 
 class CWETypeSPermView(EntityView):
     id = 'cwetype-schema-permissions'
@@ -157,8 +157,8 @@
         entity = self.entity(row, col)
         if entity.reverse_state_of:
             self.w(u'<img src="%s" alt="%s"/>' % (
-                    html_escape(entity.absolute_url(vid='ewfgraph')),
-                    html_escape(self.req._('graphical workflow for %s') % entity.name)))
+                    xml_escape(entity.absolute_url(vid='ewfgraph')),
+                    xml_escape(self.req._('graphical workflow for %s') % entity.name)))
         else:
             self.w(u'<p>%s</p>' % _('There is no workflow defined for this entity.'))
 
--- a/web/views/startup.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/startup.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 _ = unicode
 
 from logilab.common.textutils import unormalize
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.view import StartupView
 from cubicweb.selectors import match_user_groups, implements
@@ -77,7 +77,7 @@
             else:
                 href = req.build_url('view', vid='creation', etype='Card', wikiid='index')
                 label = self.req._('create an index page')
-            self.w(u'<br/><a href="%s">%s</a>\n' % (html_escape(href), label))
+            self.w(u'<br/><a href="%s">%s</a>\n' % (xml_escape(href), label))
 
     def folders(self):
         self.w(u'<h4>%s</h4>\n' % self.req._('Browse by category'))
@@ -92,7 +92,7 @@
             if v.category != 'startupview' or v.id in ('index', 'tree', 'manage'):
                 continue
             self.w('<p><a href="%s">%s</a></p>' % (
-                html_escape(v.url()), html_escape(self.req._(v.title).capitalize())))
+                xml_escape(v.url()), xml_escape(self.req._(v.title).capitalize())))
 
     def entities(self):
         schema = self.schema
@@ -146,7 +146,7 @@
             else:
                 url = self.build_url('view', rql='%s X' % etype)
             etypelink = u'&nbsp;<a href="%s">%s</a> (%d)' % (
-                html_escape(url), label, nb)
+                xml_escape(url), label, nb)
             yield (label, etypelink, self.add_entity_link(eschema, req))
 
     def add_entity_link(self, eschema, req):
@@ -154,7 +154,7 @@
         if not eschema.has_perm(req, 'add'):
             return u''
         return u'[<a href="%s" title="%s">+</a>]' % (
-            html_escape(self.create_url(eschema.type)),
+            xml_escape(self.create_url(eschema.type)),
             self.req.__('add a %s' % eschema))
 
 
@@ -186,9 +186,9 @@
         self.w(_(u'<div>This schema of the data model <em>excludes</em> the '
                  u'meta-data, but you can also display a <a href="%s">complete '
                  u'schema with meta-data</a>.</div>')
-               % html_escape(self.build_url('view', vid='schemagraph', withmeta=1)))
+               % xml_escape(self.build_url('view', vid='schemagraph', withmeta=1)))
         self.w(u'<img src="%s" alt="%s"/>\n' % (
-            html_escape(self.req.build_url('view', vid='schemagraph', withmeta=0)),
+            xml_escape(self.req.build_url('view', vid='schemagraph', withmeta=0)),
             self.req._("graphical representation of the application'schema")))
 
 
@@ -234,14 +234,14 @@
         self.w(u'<h4>%s</h4>' %   _('Entities').capitalize())
         ents = []
         for eschema in sorted(entities):
-            url = html_escape(self.build_url('schema', **formparams))
+            url = xml_escape(self.build_url('schema', **formparams))
             ents.append(u'<a class="grey" href="%s#%s">%s</a> (%s)' % (
                 url,  eschema.type, eschema.type, _(eschema.type)))
         self.w(u', '.join(ents))
         self.w(u'<h4>%s</h4>' % (_('relations').capitalize()))
         rels = []
         for rschema in sorted(relations):
-            url = html_escape(self.build_url('schema', **formparams))
+            url = xml_escape(self.build_url('schema', **formparams))
             rels.append(u'<a class="grey" href="%s#%s">%s</a> (%s), ' %  (
                 url , rschema.type, rschema.type, _(rschema.type)))
         self.w(u', '.join(ents))
@@ -259,7 +259,7 @@
         for eschema in sorted(entities):
             self.w(u'<a id="%s" href="%s"/>' %  (eschema.type, eschema.type))
             self.w(u'<h3 class="schema">%s (%s) ' % (eschema.type, _(eschema.type)))
-            url = html_escape(self.build_url('schema', **formparams) + '#index')
+            url = xml_escape(self.build_url('schema', **formparams) + '#index')
             self.w(u'<a href="%s"><img src="%s" alt="%s"/></a>' % (url,  self.req.external_resource('UP_ICON'), _('up')))
             self.w(u'</h3>')
             self.w(u'<div style="margin: 0px 1.5em">')
@@ -289,7 +289,7 @@
         for rschema in sorted(relations):
             self.w(u'<a id="%s" href="%s"/>' %  (rschema.type, rschema.type))
             self.w(u'<h3 class="schema">%s (%s) ' % (rschema.type, _(rschema.type)))
-            url = html_escape(self.build_url('schema', **formparams) + '#index')
+            url = xml_escape(self.build_url('schema', **formparams) + '#index')
             self.w(u'<a href="%s"><img src="%s" alt="%s"/></a>' % (url,  self.req.external_resource('UP_ICON'), _('up')))
             self.w(u'</h3>')
             self.w(u'<div style="margin: 0px 1.5em">')
--- a/web/views/tableview.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/tableview.py	Tue Jul 07 13:26:44 2009 +0200
@@ -10,7 +10,7 @@
 
 from simplejson import dumps
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import nonempty_rset, match_form_params
 from cubicweb.utils import make_uid
@@ -55,7 +55,7 @@
         # drop False / None values from vidargs
         vidargs = dict((k, v) for k, v in vidargs.iteritems() if v)
         self.w(u'<form method="post" cubicweb:facetargs="%s" action="">' %
-               html_escape(dumps([divid, 'table', False, vidargs])))
+               xml_escape(dumps([divid, 'table', False, vidargs])))
         self.w(u'<fieldset id="%sForm" class="%s">' % (divid, hidden and 'hidden' or ''))
         self.w(u'<input type="hidden" name="divid" value="%s" />' % divid)
         filter_hiddens(self.w, facets=','.join(wdg.facet.id for wdg in fwidgets), baserql=baserql)
@@ -178,7 +178,7 @@
         box = MenuWidget('', 'tableActionsBox', _class='', islist=False)
         label = '<img src="%s" alt="%s"/>' % (
             self.req.datadir_url + 'liveclipboard-icon.png',
-            html_escape(self.req._('action(s) on this selection')))
+            xml_escape(self.req._('action(s) on this selection')))
         menu = PopupBoxMenu(label, isitem=False, link_class='actionsBox',
                             ident='%sActions' % divid)
         box.append(menu)
--- a/web/views/tabs.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/tabs.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 
 __docformat__ = "restructuredtext en"
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb import NoSelectableObject, role
 from cubicweb.selectors import partial_has_related_entities
@@ -47,7 +47,7 @@
         elif rset:
             urlparams['rql'] = rset.printable_rql()
         w(u'<div id="lazy-%s" cubicweb:loadurl="%s">' % (
-            vid, html_escape(self.build_url('json', **urlparams))))
+            vid, xml_escape(self.build_url('json', **urlparams))))
         if show_spinbox:
             w(u'<img src="data/loading.gif" id="%s-hole" alt="%s"/>'
               % (vid, self.req._('loading')))
--- a/web/views/timeline.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/timeline.py	Tue Jul 07 13:26:44 2009 +0200
@@ -11,7 +11,7 @@
 
 import simplejson
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.interfaces import ICalendarable
 from cubicweb.selectors import implements
@@ -68,7 +68,7 @@
         if start is None and stop is None:
             return None
         event_data = {'start': start.strftime(self.date_fmt),
-                      'title': html_escape(entity.dc_title()),
+                      'title': xml_escape(entity.dc_title()),
                       'description': entity.dc_description(format='text/html'),
                       'link': entity.absolute_url(),
                       }
@@ -95,7 +95,7 @@
             additional = u''
         self.w(u'<div class="widget" cubicweb:wdgtype="%s" '
                u'cubicweb:loadtype="auto" cubicweb:loadurl="%s" %s >' %
-               (self.widget_class, html_escape(loadurl),
+               (self.widget_class, xml_escape(loadurl),
                 additional))
         self.w(u'</div>')
 
--- a/web/views/timetable.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/timetable.py	Tue Jul 07 13:26:44 2009 +0200
@@ -6,7 +6,7 @@
 :license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
 """
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.interfaces import ITimetableViews
 from cubicweb.selectors import implements
@@ -190,7 +190,7 @@
                     if value:
                         task_descr, first_row = value
                         if first_row:
-                            url = html_escape(task_descr.task.absolute_url(vid="edition"))
+                            url = xml_escape(task_descr.task.absolute_url(vid="edition"))
                             self.w(u'<td rowspan="%d" class="%s %s" onclick="document.location=\'%s\'">&nbsp;<div>' % (
                                 task_descr.lines, task_descr.color, filled_klasses[kj], url))
                             task_descr.task.view('tooltip', w=self.w)
--- a/web/views/treeview.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/treeview.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 
 from logilab.common.decorators import monkeypatch
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.utils import make_uid
 from cubicweb.interfaces import ITree
@@ -113,7 +113,7 @@
             w(u'<li class="%s">' % u' '.join(liclasses))
         else:
             rql = entity.children_rql() % {'x': entity.eid}
-            url = html_escape(self.build_url('json', rql=rql, vid=parentvid,
+            url = xml_escape(self.build_url('json', rql=rql, vid=parentvid,
                                              pageid=self.req.pageid,
                                              treeid=treeid,
                                              fname='view',
--- a/web/views/workflow.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/workflow.py	Tue Jul 07 13:26:44 2009 +0200
@@ -11,7 +11,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 from logilab.common.graph import escape, GraphGenerator, DotBackend
 
 from cubicweb import Unauthorized, view
@@ -119,7 +119,7 @@
     __select__ = implements('State')
 
     def cell_call(self, row, col):
-        self.w(html_escape(self.view('textincontext', self.rset,
+        self.w(xml_escape(self.view('textincontext', self.rset,
                                      row=row, col=col)))
 
 
@@ -146,8 +146,8 @@
         self.w(u'<h1>%s</h1>' % (self.req._('workflow for %s')
                                  % display_name(self.req, entity.name)))
         self.w(u'<img src="%s" alt="%s"/>' % (
-            html_escape(entity.absolute_url(vid='ewfgraph')),
-            html_escape(self.req._('graphical workflow for %s') % entity.name)))
+            xml_escape(entity.absolute_url(vid='ewfgraph')),
+            xml_escape(self.req._('graphical workflow for %s') % entity.name)))
 
 
 class WorkflowDotPropsHandler(object):
--- a/web/views/xbel.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/views/xbel.py	Tue Jul 07 13:26:44 2009 +0200
@@ -8,7 +8,7 @@
 __docformat__ = "restructuredtext en"
 _ = unicode
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from cubicweb.selectors import implements
 from cubicweb.view import EntityView
@@ -42,8 +42,8 @@
 
     def cell_call(self, row, col):
         entity = self.complete_entity(row, col)
-        self.w(u'<bookmark href="%s">' % html_escape(self.url(entity)))
-        self.w(u'  <title>%s</title>' % html_escape(entity.dc_title()))
+        self.w(u'<bookmark href="%s">' % xml_escape(self.url(entity)))
+        self.w(u'  <title>%s</title>' % xml_escape(entity.dc_title()))
         self.w(u'</bookmark>')
 
     def url(self, entity):
--- a/web/widgets.py	Tue Jul 07 13:25:24 2009 +0200
+++ b/web/widgets.py	Tue Jul 07 13:26:44 2009 +0200
@@ -12,7 +12,7 @@
 
 from datetime import datetime
 
-from logilab.mtconverter import html_escape
+from logilab.mtconverter import xml_escape
 
 from yams.constraints import SizeConstraint, StaticVocabularyConstraint
 
@@ -247,9 +247,9 @@
         value = self.current_value(entity)
         dvalue = self.current_display_value(entity)
         if isinstance(value, basestring):
-            value = html_escape(value)
+            value = xml_escape(value)
         if isinstance(dvalue, basestring):
-            dvalue = html_escape(dvalue)
+            dvalue = xml_escape(dvalue)
         return u'%s<input type="%s" name="%s" value="%s" %s/>' % (
             self.hidden_input(entity, value), self.input_type,
             self.rname, dvalue, self.format_attrs())
@@ -323,9 +323,9 @@
         value = self.current_value(entity)
         dvalue = self.current_display_value(entity)
         if isinstance(value, basestring):
-            value = html_escape(value)
+            value = xml_escape(value)
         if isinstance(dvalue, basestring):
-            dvalue = html_escape(dvalue)
+            dvalue = xml_escape(dvalue)
         iid = self.attrs.pop('id')
         if self.required(entity):
             cssclass = u' required'
@@ -337,7 +337,7 @@
                     'iid': iid,
                     'hidden': self.hidden_input(entity, value),
                     'wdgtype': self.wdgtype,
-                    'url': html_escape(dataurl),
+                    'url': xml_escape(dataurl),
                     'tabindex': self.attrs.pop('tabindex'),
                     'value': dvalue,
                     'attrs': self.format_attrs(),
@@ -398,7 +398,7 @@
         editor = self._edit_render_textarea(entity, with_format)
         value = self.current_value(entity)
         if isinstance(value, basestring):
-            value = html_escape(value)
+            value = xml_escape(value)
         return u'%s%s' % (self.hidden_input(entity, value), editor)
 
     def _edit_render_textarea(self, entity, with_format):
@@ -406,7 +406,7 @@
         self.attrs.setdefault('rows', 20)
         dvalue = self.current_display_value(entity)
         if isinstance(dvalue, basestring):
-            dvalue = html_escape(dvalue)
+            dvalue = xml_escape(dvalue)
         if entity.use_fckeditor(self.name):
             entity.req.fckeditor_config()
             if with_format:
@@ -472,9 +472,9 @@
             or entity.e_schema.has_metadata(self.name, 'encoding')):
             divid = '%s-%s-advanced' % (self.name, entity.eid)
             wdgs.append(u'<a href="%s" title="%s"><img src="%s" alt="%s"/></a>' %
-                        (html_escape(toggle_action(divid)),
+                        (xml_escape(toggle_action(divid)),
                          req._('show advanced fields'),
-                         html_escape(req.build_url('data/puce_down.png')),
+                         xml_escape(req.build_url('data/puce_down.png')),
                          req._('show advanced fields')))
             wdgs.append(u'<div id="%s" class="hidden">' % divid)
             for extraattr in ('_format', '_encoding'):
@@ -572,7 +572,7 @@
                 res.append(u'<optgroup label="%s"/>' % (label or ''))
             else:
                 value, flag = self.form_value(entity, value, dvalues)
-                res.append(u'<option value="%s" %s>%s</option>' % (value, flag, html_escape(label)))
+                res.append(u'<option value="%s" %s>%s</option>' % (value, flag, xml_escape(label)))
         res.append(u'</select>')
         return '\n'.join(res)
 
@@ -658,7 +658,7 @@
                 res.append(u'<optgroup label="%s"/>' % (label or ''))
             else:
                 value, flag = self.form_value(entity, value, dvalues)
-                res.append(u'<option value="%s" %s>%s</option>' % (value, flag, html_escape(label)))
+                res.append(u'<option value="%s" %s>%s</option>' % (value, flag, xml_escape(label)))
         res.append(u'</select>')
         res.append(u'<div id="newvalue">')
         res.append(u'<input type="text" id="newopt" />')
@@ -819,7 +819,7 @@
         url = getattr(entity, self.name)
         if not url:
             return u''
-        url = html_escape(url)
+        url = xml_escape(url)
         return u'<a href="%s">%s</a>' % (url, url)
 
 class EmbededURLWidget(StringWidget):
@@ -828,7 +828,7 @@
         url = getattr(entity, self.name)
         if not url:
             return u''
-        aurl = html_escape(entity.build_url('embed', url=url))
+        aurl = xml_escape(entity.build_url('embed', url=url))
         return u'<a href="%s">%s</a>' % (aurl, url)
cubicweb