[views] Escape class attribute value in CWGroup incontext view
authorDenis Laxalde <denis.laxalde@logilab.fr>
Thu, 11 Sep 2014 15:17:08 +0200
changeset 10033 b3a1d15965d9
parent 10032 fd1dafb0ab10
child 10034 7d0acf9cb92a
[views] Escape class attribute value in CWGroup incontext view
web/views/cwuser.py
--- a/web/views/cwuser.py	Thu Sep 25 10:50:23 2014 +0200
+++ b/web/views/cwuser.py	Thu Sep 11 15:17:08 2014 +0200
@@ -160,7 +160,8 @@
     def entity_call(self, entity, **kwargs):
         entity.complete()
         self.w(u'<a href="%s" class="%s">%s</a>' % (
-            entity.absolute_url(), entity.name, entity.printable_value('name')))
+            entity.absolute_url(), xml_escape(entity.name),
+            entity.printable_value('name')))
 
 
 # user / groups management views ###############################################