properly escape content
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Wed, 07 Sep 2011 10:54:41 +0200
changeset 12 37c203352b77
parent 11 2dd810ae668e
child 13 e955a5264252
properly escape content
views.py
--- a/views.py	Fri Aug 05 18:17:54 2011 +0200
+++ b/views.py	Wed Sep 07 10:54:41 2011 +0200
@@ -1,3 +1,4 @@
+from logilab.mtconverter import xml_escape
 from cubicweb.selectors import is_instance, adaptable
 from cubicweb.view import EntityView
 
@@ -26,6 +27,7 @@
                u'<span class="author">%s</span>'
                u'<span class="msgtxt">%s</span>'
                u'<span class="meta"><a href="%s">%s</a></span>'
-               u'</div>' % (activity.actor, activity.content,
-                            entity.absolute_url(),
+               u'</div>' % (xml_escape(activity.actor),
+                            xml_escape(activity.content),
+                            xml_escape(entity.absolute_url()),
                             self._cw.format_date(activity.date, time=True)))