From 592ec0178d25767859523c1ac221c6f3cb303875 Mon Sep 17 00:00:00 2001
From: Jeff Hemphill <jthemphill@gmail.com>
Date: Wed, 16 Oct 2013 20:55:41 -0700
Subject: Add HTML escaping to views.py

At least it's less obviously dangerous this way.
---
 docs/tutorials/wiki2/src/views/tutorial/views.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'docs/tutorials')

diff --git a/docs/tutorials/wiki2/src/views/tutorial/views.py b/docs/tutorials/wiki2/src/views/tutorial/views.py
index 5a9c75a61..d54b2a7aa 100644
--- a/docs/tutorials/wiki2/src/views/tutorial/views.py
+++ b/docs/tutorials/wiki2/src/views/tutorial/views.py
@@ -1,3 +1,4 @@
+import cgi
 import re
 from docutils.core import publish_parts
 
@@ -32,10 +33,10 @@ def view_page(request):
         exists = DBSession.query(Page).filter_by(name=word).all()
         if exists:
             view_url = request.route_url('view_page', pagename=word)
-            return '<a href="%s">%s</a>' % (view_url, word)
+            return '<a href="%s">%s</a>' % (view_url, cgi.escape(word))
         else:
             add_url = request.route_url('add_page', pagename=word)
-            return '<a href="%s">%s</a>' % (add_url, word)
+            return '<a href="%s">%s</a>' % (add_url, cgi.escape(word))
 
     content = publish_parts(page.data, writer_name='html')['html_body']
     content = wikiwords.sub(check, content)
-- 
cgit v1.2.3