From cd9cb4ad29f144edef0e6fe40a41b53eef5dbfb6 Mon Sep 17 00:00:00 2001
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Sat, 25 Feb 2017 16:37:15 +0000
Subject: [PATCH] Fixed an issue which left html meta-characters unescaped in
 release-notes shown under /release/  - Legacy-Id: 12919

---
 ietf/release/views.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ietf/release/views.py b/ietf/release/views.py
index 6aaf21ab4..ec6c32bd4 100644
--- a/ietf/release/views.py
+++ b/ietf/release/views.py
@@ -7,8 +7,10 @@ import gzip
 from django.shortcuts import render
 from django.conf import settings
 from django.http import HttpResponse
+from django.utils.html import escape
 
 import changelog
+import debug                            # pyflakes:ignore
 
 # workaround for thread import lock problem, http://bugs.python.org/issue7980
 import time                             
@@ -18,7 +20,7 @@ def trac_links(text):
     # changeset links
     text = re.sub(r'\[(\d+)\]', r'<a href="https://wiki.tools.ietf.org/tools/ietfdb/changeset/\1">[\1]</a>', text)
     # issue links
-    text = re.sub(r'#(\d+)', r'<a href="https://wiki.tools.ietf.org/tools/ietfdb/ticket/\1">#\1</a>', text)
+    text = re.sub(r'([^&])#(\d+)', r'\1<a href="https://wiki.tools.ietf.org/tools/ietfdb/ticket/\2">#\2</a>', text)
     return text
 
 
@@ -37,7 +39,7 @@ def release(request, version=None):
     entries = dict((entry.version, entry) for entry in log_entries)
     if version == None or version not in entries:
         version = log_entries[0].version
-    entries[version].logentry = trac_links(entries[version].logentry.strip('\n'))
+    entries[version].logentry = trac_links(escape(entries[version].logentry.strip('\n')))
 
     code_coverage_url = None
     code_coverage_time = None