Escape html read-only values

app/scodoc/TrivialFormulator.py

@@ -8,6 +8,7 @@
 
    v 1.3 (python3)
 """
+import html
 
 
 def TrivialFormulator(
@@ -722,7 +723,9 @@ var {field}_as = new bsn.AutoSuggest('{field}', {field}_opts);
                     if str(descr["allowed_values"][i]) == str(self.values[field]):
                         R.append('<span class="tf-ro-value">%s</span>' % labels[i])
         elif input_type == "textarea":
-            R.append('<div class="tf-ro-textarea">%s</div>' % self.values[field])
+            R.append(
+                '<div class="tf-ro-textarea">%s</div>' % html.escape(self.values[field])
+            )
         elif input_type == "separator" or input_type == "hidden":
             pass
         elif input_type == "file":