details: http://www.bx.psu.edu/hg/galaxy/rev/1a3339f017e9 changeset: 3318:1a3339f017e9 user: James Taylor <james@jamestaylor.org> date: Wed Feb 03 10:31:26 2010 -0500 description: Escape HTML in history annotation diffstat: lib/galaxy/web/framework/helpers/__init__.py | 2 ++ templates/root/history.mako | 6 +++++- 2 files changed, 7 insertions(+), 1 deletions(-) diffs (28 lines): diff -r 4a2a488e4fa0 -r 1a3339f017e9 lib/galaxy/web/framework/helpers/__init__.py --- a/lib/galaxy/web/framework/helpers/__init__.py Wed Feb 03 09:32:37 2010 -0500 +++ b/lib/galaxy/web/framework/helpers/__init__.py Wed Feb 03 10:31:26 2010 -0500 @@ -7,6 +7,8 @@ from galaxy.util import hash_util from datetime import datetime, timedelta +from cgi import escape + # If the date is more than one week ago, then display the actual date instead of in words def time_ago( x ): delta = timedelta(weeks=1) diff -r 4a2a488e4fa0 -r 1a3339f017e9 templates/root/history.mako --- a/templates/root/history.mako Wed Feb 03 09:32:37 2010 -0500 +++ b/templates/root/history.mako Wed Feb 03 10:31:26 2010 -0500 @@ -310,7 +310,11 @@ <div id="history-annotation-area" class="form-row"> <label>Annotation / Notes:</label> <div style="float: right"><a id="history-annotate" title="Annotate" class="icon-button edit" target="galaxy_main" href="${h.url_for( controller='history', action='annotate_async' )}"></a></div> - <div id="history-annotation">${annotation}</div> + %if annotation: + <div id="history-annotation">${h.escape(annotation)}</div> + %else: + <div id="history-annotation"></div> + %endif <div style="clear: both"></div> </div> </div>