diff --git a/ddportfolioservice/lib/helpers.py b/ddportfolioservice/lib/helpers.py
index 79d12f4..bf113c2 100644
--- a/ddportfolioservice/lib/helpers.py
+++ b/ddportfolioservice/lib/helpers.py
@@ -27,6 +27,7 @@ available to Controllers. This module is available to both as 'h'.
"""
from webhelpers import *
from webhelpers.html.tags import *
+from webhelpers.html.builder import escape
from webhelpers.text import *
from webhelpers.textile import *
from routes.util import *
diff --git a/ddportfolioservice/templates/showform.mako b/ddportfolioservice/templates/showform.mako
index a520ae1..0458394 100644
--- a/ddportfolioservice/templates/showform.mako
+++ b/ddportfolioservice/templates/showform.mako
@@ -36,10 +36,11 @@ ${h.form(h.url_for(action='urllist'), method='get')}
- ${h.text('email', request.params.get('email', None), id='email')}
+ ${h.text('email',
+ h.escape(request.params.get('email', None), True), id='email')}
${_('Name:')}
% if 'name' in c.messages['errors']:
- ${c.messages['errors']['name']}
+ ${c.messages['errors']['name'] | h}
% endif
- ${h.text('name', request.params.get('name', None), id='name')}
+ ${h.text('name',
+ h.escape(request.params.get('name', None)), id='name')}
- ${h.text('gpgfp', request.params.get('gpgfp', None),
- id='gpgfp', readonly='readonly')}
+ ${h.text('gpgfp',
+ h.escape(request.params.get('gpgfp', None)),
+ id='gpgfp', readonly='readonly')}
${_('Debian user name:')}
% if 'username' in c.messages['errors']:
- ${c.messages['errors']['username']}
+ ${c.messages['errors']['username'] | h}
% endif
- ${h.text('username', request.params.get('username', None),
- id='username')}
+ ${h.text('username',
+ h.escape(request.params.get('username', None)),
+ id='username')}
-
${c.messages['errors']['aliothusername']}
+ class="errormsg">${c.messages['errors']['aliothusername'] | h}
% endif
- ${h.text('aliothusername', request.params.get('username', None),
- id='aliothusername')}
+ ${h.text('aliothusername',
+ h.escape(request.params.get('username', None)),
+ id='aliothusername')}
${_('Output format:')}
% if 'mode' in c.messages['errors']:
- ${c.messages['errors']['mode']}
+ ${c.messages['errors']['mode'] | h}
% endif
${_('HTML')} ${h.radio('mode', 'html',