properly escape content

views.py

+from logilab.mtconverter import xml_escape
 from cubicweb.selectors import is_instance, adaptable
 from cubicweb.view import EntityView
 
@@ -26,6 +27,7 @@ class AStreamItemView(EntityView):
                u'<span class="author">%s</span>'
                u'<span class="msgtxt">%s</span>'
                u'<span class="meta"><a href="%s">%s</a></span>'
-               u'</div>' % (activity.actor, activity.content,
-                            entity.absolute_url(),
+               u'</div>' % (xml_escape(activity.actor),
+                            xml_escape(activity.content),
+                            xml_escape(entity.absolute_url()),
                             self._cw.format_date(activity.date, time=True)))