From f6461d531c2f68b1489d111aee860c6bcea4b851 Mon Sep 17 00:00:00 2001
From: Henrik Levkowetz <henrik@levkowetz.com>
Date: Mon, 4 Mar 2019 20:10:16 +0000
Subject: [PATCH] Added html escaping of initial text-area content in a view
 function to avoid mangling.  - Legacy-Id: 15989

---
 ietf/ipr/views.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ietf/ipr/views.py b/ietf/ipr/views.py
index 6be8ee068..c5d9614df 100644
--- a/ietf/ipr/views.py
+++ b/ietf/ipr/views.py
@@ -12,6 +12,7 @@ from django.forms.formsets import formset_factory
 from django.http import HttpResponse, Http404, HttpResponseRedirect
 from django.shortcuts import render, get_object_or_404, redirect
 from django.template.loader import render_to_string
+from django.utils.html import escape
 
 import debug                            # pyflakes:ignore
 
@@ -591,9 +592,9 @@ def notify(request, id, type):
             
     else:
         if type == 'update':
-            initial = [ {'type':'update_notify','text':m} for m in get_update_submitter_emails(ipr) ]
+            initial = [ {'type':'update_notify','text':escape(m)} for m in get_update_submitter_emails(ipr) ]
         else:
-            initial = [ {'type':'msgout','text':m} for m in get_posted_emails(ipr) ]
+            initial = [ {'type':'msgout','text':escape(m)} for m in get_posted_emails(ipr) ]
         formset = NotifyFormset(initial=initial)
         
     return render(request, "ipr/notify.html", {