From fe3ce87020ea99aba62d486c0e073ec9f7ecb43b Mon Sep 17 00:00:00 2001
From: Damien Elmes <git@ichi2.net>
Date: Fri, 20 Sep 2013 14:57:05 +0900
Subject: [PATCH] make sure we escape html chars after type ans comp. (#960)

---
 aqt/reviewer.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/aqt/reviewer.py b/aqt/reviewer.py
index e145c0171..430e3dbfe 100644
--- a/aqt/reviewer.py
+++ b/aqt/reviewer.py
@@ -472,11 +472,11 @@ Please run Tools>Empty Cards""")
         "Diff-corrects the typed-in answer."
         givenElems, correctElems = self.tokenizeComparison(given, correct)
         def good(s):
-            return "<span class=typeGood>"+s+"</span>"
+            return "<span class=typeGood>"+cgi.escape(s)+"</span>"
         def bad(s):
-            return "<span class=typeBad>"+s+"</span>"
+            return "<span class=typeBad>"+cgi.escape(s)+"</span>"
         def missed(s):
-            return "<span class=typeMissed>"+s+"</span>"
+            return "<span class=typeMissed>"+cgi.escape(s)+"</span>"
         if given == correct:
             res = good(given)
         else: