missing xml escapes (but textoutofcontext probably ought to be just outofcontext, with no escaping then)
--- a/web/views/editforms.py Tue Jan 12 17:24:46 2010 +0100
+++ b/web/views/editforms.py Wed Jan 13 18:04:29 2010 +0100
@@ -91,8 +91,8 @@
w(u'<ul>\n')
for entity in self.rset.entities():
# don't use outofcontext view or any other that may contain inline edition form
- w(u'<li>%s</li>' % tags.a(entity.view('textoutofcontext'),
- href=entity.absolute_url()))
+ w(u'<li>%s</li>' % tags.a(xml_escape(entity.view('textoutofcontext')),
+ href=xml_escape(entity.absolute_url())))
w(u'</ul>\n')
w(form.render())