- LP #491224: proper escaping of rendered error message

doc/CHANGES.txt

@@ -8,6 +8,8 @@ Zope Changes
 
     Bugs Fixed
 
+      - LP #491224: proper escaping of rendered error message
+
       - Also look for ZEXP imports within the clienthome directory. This
         provides a place to put imports that won't be clobbered by buildout
         in a buildout-based Zope instance.

lib/python/OFS/SimpleItem.py

@@ -36,6 +36,7 @@ from DocumentTemplate.html_quote import html_quote
 from DocumentTemplate.ustr import ustr
 from ExtensionClass import Base
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions.ExceptionFormatter import format_exception
 from zope.interface import implements
@@ -243,6 +244,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
                      "event log for full details: %s)")%(
                     html_quote(sys.exc_info()[1]),
                     ))
+            v = xml_escape(v)
             raise error_type, v, tb
         finally:
             if hasattr(self, '_v_eek'): del self._v_eek