From 5efc493542416052c7a338a10b386a3c097bd0a1 Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Wed, 15 Sep 2021 22:31:16 +0200
Subject: [PATCH] Escape html read-only values

---
 app/scodoc/TrivialFormulator.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/scodoc/TrivialFormulator.py b/app/scodoc/TrivialFormulator.py
index ebe5c52a..eacbfd78 100644
--- a/app/scodoc/TrivialFormulator.py
+++ b/app/scodoc/TrivialFormulator.py
@@ -8,6 +8,7 @@
 
    v 1.3 (python3)
 """
+import html
 
 
 def TrivialFormulator(
@@ -722,7 +723,9 @@ var {field}_as = new bsn.AutoSuggest('{field}', {field}_opts);
                     if str(descr["allowed_values"][i]) == str(self.values[field]):
                         R.append('<span class="tf-ro-value">%s</span>' % labels[i])
         elif input_type == "textarea":
-            R.append('<div class="tf-ro-textarea">%s</div>' % self.values[field])
+            R.append(
+                '<div class="tf-ro-textarea">%s</div>' % html.escape(self.values[field])
+            )
         elif input_type == "separator" or input_type == "hidden":
             pass
         elif input_type == "file":