# HG changeset patch
# Parent cbe8c9fe5e1869a558953d3936eae18d71dd254d
# User Thomas Arendsen Hein <thomas@intevation.de>
# Date 1290098615 -3600
Properly escape username in history display.

diff -r cbe8c9fe5e18 roundup/cgi/templating.py
--- a/roundup/cgi/templating.py	Tue Nov 09 15:06:14 2010 +0000
+++ b/roundup/cgi/templating.py	Thu Nov 18 17:43:35 2010 +0100
@@ -1140,7 +1140,7 @@
             if dre.match(user):
                 user = self._db.user.get(user, 'username')
             l.append('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>'%(
-                date_s, user, self._(action), arg_s))
+                date_s, cgi.escape(user), self._(action), arg_s))
         if comments:
             l.append(self._(
                 '<tr><td colspan=4><strong>Note:</strong></td></tr>'))