# HG changeset patch
# User Matt Mackall <mpm@selenic.com>
# Date 2013-10-09 19:02:32
# Node ID 904061628dc42c88c1c3617a884ae23b7ace5dfd
# Parent  55c763926a28982ce0003078fb38c6db58bca8aa

hgweb: add escaping of tags and bookmarks in graph view

diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py
+++ b/mercurial/hgweb/webcommands.py
@@ -922,7 +922,8 @@ def graph(web, req, tmpl):
 
             if usetuples:
                 data.append((node, vtx, edges, desc, user, age, branch,
-                             ctx.tags(), ctx.bookmarks()))
+                             [cgi.escape(x) for x in ctx.tags()],
+                             [cgi.escape(x) for x in ctx.bookmarks()]))
             else:
                 edgedata = [dict(col=edge[0], nextcol=edge[1],
                                  color=(edge[2] - 1) % 6 + 1,