# HG changeset patch
# User Matt Mackall <mpm@selenic.com>
# Date 2013-10-07 22:21:17
# Node ID 5cbf413ce658d176afbdd7109f499affd6ba2ea6
# Parent  21de61bc2ab59ec6bb1416ed9441b638db6d2c8c

hgweb: escape branch names in graph view

diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py
+++ b/mercurial/hgweb/webcommands.py
@@ -913,7 +913,7 @@ def graph(web, req, tmpl):
             desc = templatefilters.firstline(ctx.description())
             desc = cgi.escape(templatefilters.nonempty(desc))
             user = cgi.escape(templatefilters.person(ctx.user()))
-            branch = ctx.branch()
+            branch = cgi.escape(ctx.branch())
             try:
                 branchnode = web.repo.branchtip(branch)
             except error.RepoLookupError: