From e9354cd049975d93e91a2b36f5e2e45c3b52ad5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 16 Jul 2015 11:49:00 +0200
Subject: [PATCH] template: escape substitution variables (#7860)

---
 wcs/qommon/template.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/wcs/qommon/template.py b/wcs/qommon/template.py
index f4087f9..df3748a 100644
--- a/wcs/qommon/template.py
+++ b/wcs/qommon/template.py
@@ -15,6 +15,7 @@
 # along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 from cStringIO import StringIO
+import cgi
 import os
 import glob
 import xml.etree.ElementTree as ET
@@ -438,7 +439,11 @@ def decorate(body, response):
             breadcrumb = ' <span class="separator">&gt;</span> '.join(s)
 
     vars = response.filter.copy()
-    vars.update(get_publisher().substitutions.get_context_variables())
+    for var_key, var_value in get_publisher().substitutions.get_context_variables().items():
+        if isinstance(var_value, basestring):
+            vars[var_key] = cgi.escape(var_value)
+        else:
+            vars[var_key] = var_value
     vars.update(locals())
     fd = StringIO()
     template.generate(fd, vars)
-- 
2.1.4