Escape raw text sent as body to the textarea element in the page editor

diff --git a/geekigeeki.py b/geekigeeki.py
index 6c77adf56231ba1c68ccd4d33dc896d25bb2422b..2e2ef72160395e00d6ea40566c882ecf1d2762fd 100755 (executable)
--- a/geekigeeki.py
+++ b/geekigeeki.py
@@ -714,7 +714,7 @@ class Page:
         print '<div class="editor"><form name="editform" method="post" enctype="multipart/form-data" action="%s">' % relative_url(self.page_name)
         print '<input type="hidden" name="edit" value="%s">' % (self.page_name)
         print '<input type="input" id="editor" name="changelog" value="Edit page %s" accesskey="c" /><br />' % (self.page_name)
-        print '<textarea wrap="off" spellcheck="true" id="editor" name="savetext" rows="17" cols="100" accesskey="e">%s</textarea>' % (preview or self.get_raw_body())
+        print '<textarea wrap="off" spellcheck="true" id="editor" name="savetext" rows="17" cols="100" accesskey="e">%s</textarea>' % cgi.escape(preview or self.get_raw_body())
         print '<label for="file" accesskey="u">Or Upload a file:</label> <input type="file" name="file" value="%s" />' % file
         print """
             <br />