--- loncom/interface/Attic/lonspreadsheet.pm	2002/12/02 16:39:30	1.151
+++ loncom/interface/Attic/lonspreadsheet.pm	2002/12/02 21:22:39	1.152
@@ -1,5 +1,5 @@
 #
-# $Id: lonspreadsheet.pm,v 1.151 2002/12/02 16:39:30 matthew Exp $
+# $Id: lonspreadsheet.pm,v 1.152 2002/12/02 21:22:39 matthew Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -62,6 +62,7 @@ use Safe;
 use Safe::Hole;
 use Opcode;
 use GDBM_File;
+use HTML::Entities();
 use HTML::TokeParser;
 use Spreadsheet::WriteExcel;
 
@@ -1247,27 +1248,28 @@ sub html_editable_cell {
         if ($formula ne '') {
             $value = '<i>undefined value</i>';
         }
-    }
-    if ($value =~ /^\s*$/ ) {
+    } elsif ($value =~ /^\s*$/ ) {
         $value = '<font color="'.$bgcolor.'">#</font>';
+    } else {
+        $value = &HTML::Entities::encode($value);
     }
-    &Apache::lonnet::logthis($name.' formula = '.$formula) if ($formula);
-    $formula =~ s/</\&lt;/g;
-    $formula =~ s/>/\&gt;/g;
-    $formula =~ s/\&/\&amp;/g;
-    $formula =~ s/\"/\&quot;/g;
-    $formula =~ s/\'/\&quot;/g;
+    # Make the formula safe for outputting
+    $formula =~ s/\'/\"/g;
+    # The formula will be parsed by the browser *twice* before being 
+    # displayed to the user for editing.
+    $formula = &HTML::Entities::encode(&HTML::Entities::encode($formula));
+    # Escape newlines so they make it into the edit window
     $formula =~ s/\n/\\n/gs;
-    &Apache::lonnet::logthis($name.' formula = '.$formula) if ($formula);
+    # Glue everything together
     $result .= "<a href=\"javascript:celledit(\'".
         $name."','".$formula."');\">".$value."</a>";
-    &Apache::lonnet::logthis('result = '.$result) if ($formula);
     return $result;
 }
 
 sub html_uneditable_cell {
     my ($cell,$bgcolor) = @_;
     my $value = (defined($cell) ? $cell->{'value'} : '');
+    $value = &HTML::Entities::encode($value);
     return '&nbsp;'.$value.'&nbsp;';
 }
 
@@ -1336,7 +1338,7 @@ END
     ####################################
     # Print out summary/export row
     ####################################
-    my ($rowlabel,@rowdata) = &get_row($sheet,'0');
+    ($rowlabel,@rowdata) = &get_row($sheet,'0');
     $row_html = '<tr><td>'.&format_html_rowlabel($sheet,$rowlabel).'</td>';
     $num_cols_output = 0;
     foreach my $cell (@rowdata) {
@@ -3085,8 +3087,9 @@ ENDSCRIPT
     if ($ENV{'form.unewfield'}) {
         $r->print('<h2>Modified Workcopy</h2>');
         $ENV{'form.unewformula'}=~s/\'/\"/g;
-        $r->print('<p>New formula: '.$ENV{'form.unewfield'}.'='.
-                  $ENV{'form.unewformula'}.'<p>');
+        $r->print('<p>Cell '.$ENV{'form.unewfield'}.' = <pre>');
+        $r->print(&HTML::Entities::encode($ENV{'form.unewformula'}).
+                  '</pre></p>');
         $sheet->{'filename'} = $ENV{'form.ufn'};
         &tmpread($sheet,$ENV{'form.unewfield'},$ENV{'form.unewformula'});
     } elsif ($ENV{'form.saveas'}) {