From 95898de070dc113d39c28443109348006c5fb8cb Mon Sep 17 00:00:00 2001
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Wed, 8 Jun 2011 19:25:34 +0000
Subject: [PATCH] Since we're marking the two-page extract as safe, we need to
 escape html-significant characters in the draft text explicitly.  -
 Legacy-Id: 3172

---
 ietf/submit/templatetags/submit_tags.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ietf/submit/templatetags/submit_tags.py b/ietf/submit/templatetags/submit_tags.py
index e6d004661..9f8314976 100644
--- a/ietf/submit/templatetags/submit_tags.py
+++ b/ietf/submit/templatetags/submit_tags.py
@@ -2,7 +2,7 @@ import os
 
 from django import template
 from django.conf import settings
-from django.utils.html import mark_safe
+from django.utils.html import mark_safe, escape
 
 register = template.Library()
 
@@ -25,15 +25,15 @@ def show_two_pages(context, two_pages, validation):
 def two_pages_decorated_with_validation(value, validation):
     pages = value.first_two_pages or ''
     if not 'revision' in validation.warnings.keys():
-        return mark_safe('<pre class="twopages" style="display: none;">%s</pre>' % pages)
+        return mark_safe('<pre class="twopages" style="display: none;">%s</pre>' % escape(pages))
     result = '<pre class="twopages" style="display: none;">\n'
     for line in pages.split('\n'):
         if line.find('%s-%s' % (value.filename, value.revision)) > -1:
             result += '</pre><pre class="twopages" style="display: none; background: red;">'
-            result += line
+            result += escape(line)
             result += '\n'
             result += '</pre><pre class="twopages" style="display: none;">\n'
         else:
-            result += line
+            result += escape(line)
             result += '\n'
     return mark_safe(result)