# HG changeset patch # User souliane # Date 1393164042 -3600 # Node ID 97c5a9092bee90f3bc25aee100270d79fb675c5e # Parent 764c32ecb754e0d29236c977248d98fda727cda0 browser_side: escape the microblog titles when they are displayed diff -r 764c32ecb754 -r 97c5a9092bee browser_side/richtext.py --- a/browser_side/richtext.py Sat Feb 22 08:25:42 2014 +0100 +++ b/browser_side/richtext.py Sun Feb 23 15:00:42 2014 +0100 @@ -33,6 +33,7 @@ from dialog import ConfirmDialog, InfoDialog from base_panels import TitlePanel, BaseTextEditor, LightTextEditor from list_manager import ListManager +from tools import html_sanitize import panels from sat_frontends.tools import composition @@ -313,7 +314,7 @@ # set the display text in XHTML only during init because a new MicroblogEntry instance is created after each modification text = content['text'] if 'title' in content and content['title']: - text = '

%s

%s' % (content['title'], content['text']) + text = '

%s

%s' % (html_sanitize(content['title']), content['text']) self.display.setContent({'text': text}) self.display.edit(False)