From b6192f3ac3d2c7bae6f3a7571399567bbd18f3ff Mon Sep 17 00:00:00 2001
From: "martin@piware.de" <>
Date: Thu, 26 Nov 2009 08:31:57 +0100
Subject: [PATCH] workitems: HTML-escape text fields

---
 workitems.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/workitems.py b/workitems.py
index aa21e65..6e5777d 100755
--- a/workitems.py
+++ b/workitems.py
@@ -2,6 +2,7 @@
 
 import urllib, re, sys, optparse, os.path, datetime
 import sqlite3 as dbapi2
+from xml.sax.saxutils import escape
 
 blueprints_base_url = 'https://blueprints.launchpad.net'
 
@@ -439,11 +440,11 @@ def html(db):
         if bp.startswith('http:'):
             url = bp
         else:
-            url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, bp)
+            url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp))
         print '  <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td> <td>%s</td></tr>' % (
-                url, bp, data[bp][0], data[bp][2],
+                url, escape(bp), data[bp][0], data[bp][2],
                 data[bp][1], percent,
-                data[bp][-1])
+                escape(data[bp][-1]))
 
     print '</table>'
 
@@ -464,7 +465,7 @@ def html(db):
     for (a, percent) in completion:
         url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)
         print '  <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td></tr>' % (
-                url, a, data[a][0], data[a][2],
+                url, escape(a), data[a][0], data[a][2],
                 data[a][1], percent)
     print '</table>'
 
-- 
2.39.5