HTML-escape expression in the output (to quote &)

[phdru.name/cgi-bin/blog-ru/search-tags.git] / search-tags.py

diff --git a/search-tags.py b/search-tags.py
index 35fd288773e0b5f34f8ed4ece6a333fa967c4d99..e40f05c0500e5104d88e0948da57a7196ba85dbc 100755 (executable)
--- a/search-tags.py
+++ b/search-tags.py
@@ -3,7 +3,7 @@
 """Search tags CGI"""
 
 __author__ = "Oleg Broytman <phd@phdru.name>"
-__copyright__ = "Copyright (C) 2014 PhiloSoft Design"
+__copyright__ = "Copyright (C) 2014-2016 PhiloSoft Design"
 __license__ = "GNU GPL"
 
 import cgi, sys
@@ -42,14 +42,14 @@ else:
         from tags import find_tags
         posts = find_tags(tree)
         status = None
-        title = "Записи, найденные для выражения " + q
+        title = "Записи, найденные для выражения " + cgi.escape(q)
         if posts:
             _posts = ["""\
 <p class="head">
 <ul>
 """]
-            for year, month, day, suburl, title in posts:
-                _posts.append('<li>%s-%s-%s <a href="../../../../Russian/blog/%s">%s</a></li>\n' % (year, month, day, suburl, title))
+            for year, month, day, suburl, _title in posts:
+                _posts.append('<li>%s-%s-%s <a href="../../../../Russian/blog/%s">%s</a></li>\n' % (year, month, day, suburl, _title))
             _posts .append("""\
 </ul>
 </p>