From 1650d6a9211e7e2fa8f8e02b953401989f1fe0ca Mon Sep 17 00:00:00 2001
From: Deon George <deon@dege.au>
Date: Sun, 2 Apr 2023 00:25:47 +1100
Subject: [PATCH] Another fix for CVE-2020-35132 - closes #137, missed from
 #130

---
 lib/PageRender.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/PageRender.php b/lib/PageRender.php
index 2527b12..971dc51 100644
--- a/lib/PageRender.php
+++ b/lib/PageRender.php
@@ -556,7 +556,7 @@ class PageRender extends Visitor {
 	final protected function drawOldValueAttribute($attribute,$i) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
-		echo $attribute->getOldValue($i);
+		echo htmlspecialchars($attribute->getOldValue($i));
 	}
 
 	/** DRAW DISPLAYED CURRENT VALUES **/