From b77cd8224fa590d3e4b7433b77b05573a0507696 Mon Sep 17 00:00:00 2001
From: Julio Biason <julio.biason@gmail.com>
Date: Sun, 3 Jan 2010 11:40:08 -0200
Subject: [PATCH] html escape every string now; fixes #159

---
 mitterlib/ui/ui_pygtk.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/mitterlib/ui/ui_pygtk.py b/mitterlib/ui/ui_pygtk.py
index c7fff3e..aaf64c6 100644
--- a/mitterlib/ui/ui_pygtk.py
+++ b/mitterlib/ui/ui_pygtk.py
@@ -576,14 +576,12 @@ class Interface(object):
         processing."""
 
         data = store.get_value(position, 0)
-
-        message = data.message
-        username = data.username
-
         time = timesince.timesince(data.message_time)
 
         # unescape escaped entities that pango is not okay with
-        message = html_escape(message)
+        message = html_escape(data.message)
+        username = html_escape(data.username)
+        full_name = html_escape(data.name)
 
         # highlight URLs
         mask = r'<span foreground="%s">\1</span>' % (
@@ -612,7 +610,7 @@ class Interface(object):
         else:
             reposted_message = ''
 
-        markup = MESSAGE_FORMAT % (favourite, data.name, username,
+        markup = MESSAGE_FORMAT % (favourite, full_name, username,
                 reposted_message, read_status, message, time)
 
         cell.set_property('markup', markup)