# HG changeset patch # Parent cbe8c9fe5e1869a558953d3936eae18d71dd254d # User Thomas Arendsen Hein # Date 1290098615 -3600 Properly escape username in history display. diff -r cbe8c9fe5e18 roundup/cgi/templating.py --- a/roundup/cgi/templating.py Tue Nov 09 15:06:14 2010 +0000 +++ b/roundup/cgi/templating.py Thu Nov 18 17:43:35 2010 +0100 @@ -1140,7 +1140,7 @@ if dre.match(user): user = self._db.user.get(user, 'username') l.append('%s%s%s%s'%( - date_s, user, self._(action), arg_s)) + date_s, cgi.escape(user), self._(action), arg_s)) if comments: l.append(self._( 'Note:'))