missing xml escapes (but textoutofcontext probably ought to be just outofcontext, with no escaping then) stable
authorAurelien Campeas <aurelien.campeas@logilab.fr>
Wed, 13 Jan 2010 18:04:29 +0100
branchstable
changeset 4238 b8ea99f5e8ea
parent 4221 da84ca26896d
child 4242 b4b39745d26e
missing xml escapes (but textoutofcontext probably ought to be just outofcontext, with no escaping then)
web/views/editforms.py
--- a/web/views/editforms.py	Tue Jan 12 17:24:46 2010 +0100
+++ b/web/views/editforms.py	Wed Jan 13 18:04:29 2010 +0100
@@ -91,8 +91,8 @@
         w(u'<ul>\n')
         for entity in self.rset.entities():
             # don't use outofcontext view or any other that may contain inline edition form
-            w(u'<li>%s</li>' % tags.a(entity.view('textoutofcontext'),
-                                      href=entity.absolute_url()))
+            w(u'<li>%s</li>' % tags.a(xml_escape(entity.view('textoutofcontext')),
+                                      href=xml_escape(entity.absolute_url())))
         w(u'</ul>\n')
         w(form.render())