properly escape content

0bd65152 · Sylvain Thénault · 2dd810ae668e · 37c20335
Commit 0bd65152 authored Sep 07, 2011 by Sylvain Thénault
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

views.py views.py +4 -2

No files found.
--- a/views.py
+++ b/views.py
+from logilab.mtconverter import xml_escape
 from cubicweb.selectors import is_instance, adaptable
 from cubicweb.view import EntityView

@@ -26,6 +27,7 @@ class AStreamItemView(EntityView):
               u'<span class="author">%s</span>'
               u'<span class="msgtxt">%s</span>'
               u'<span class="meta"><a href="%s">%s</a></span>'
-               u'</div>' % (activity.actor, activity.content,
-                            entity.absolute_url(),
+               u'</div>' % (xml_escape(activity.actor),
+                            xml_escape(activity.content),
+                            xml_escape(entity.absolute_url()),
                            self._cw.format_date(activity.date, time=True)))