--- loncom/interface/loncommon.pm	2014/01/03 18:42:21	1.1170
+++ loncom/interface/loncommon.pm	2014/01/21 14:38:51	1.1171
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # a pile of common routines
 #
-# $Id: loncommon.pm,v 1.1170 2014/01/03 18:42:21 raeburn Exp $
+# $Id: loncommon.pm,v 1.1171 2014/01/21 14:38:51 kruse Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -3846,7 +3846,7 @@ sub get_previous_attempt {
                         if (($data eq 'award') || ($data eq 'awarddetail')) {
                             my $value = &format_previous_attempt_value($key,
                                              $returnhash{$version.':'.$key});
-                            $prevattempts.='<td>'.$value.'&nbsp;</td>';
+                            $prevattempts.='<td>'.&HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
                         } else {
                             $prevattempts.='<td>&nbsp;</td>';
                         }
@@ -3854,7 +3854,7 @@ sub get_previous_attempt {
                         if ($key =~ /\./) {
                             my $value = &format_previous_attempt_value($key,
                                               $returnhash{$version.':'.$key});
-                            $prevattempts.='<td>'.$value.'&nbsp;</td>';
+                            $prevattempts.='<td>'.&HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
                         } else {
                             $prevattempts.='<td>&nbsp;</td>';
                         }
@@ -3865,7 +3865,7 @@ sub get_previous_attempt {
                     next if ($key =~ /\.foilorder$/);
 		    my $value = &format_previous_attempt_value($key,
 			            $returnhash{$version.':'.$key});
-		    $prevattempts.='<td>'.$value.'&nbsp;</td>';
+		    $prevattempts.='<td>'.&HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
 	        }
             }
 	    $prevattempts.=&end_data_table_row();
@@ -3890,7 +3890,7 @@ sub get_previous_attempt {
                       if ($key =~/$regexp$/ && (defined &$gradesub)) {
                           $value = &$gradesub($value);
                       }
-                      $prevattempts.='<td>'.$value.'&nbsp;</td>';
+                      $prevattempts.='<td>'. &HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
                   } else {
                       $prevattempts.='<td>&nbsp;</td>';
                   }
@@ -3899,14 +3899,14 @@ sub get_previous_attempt {
                   if ($key =~/$regexp$/ && (defined &$gradesub)) {
                       $value = &$gradesub($value);
                   }
-                  $prevattempts.='<td>'.$value.'&nbsp;</td>';
+                  $prevattempts.='<td>'.&HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
               }
           } else {
 	      my $value = &format_previous_attempt_value($key,$lasthash{$key});
 	      if ($key =~/$regexp$/ && (defined &$gradesub)) {
                   $value = &$gradesub($value);
               }
-	      $prevattempts.='<td>'.$value.'&nbsp;</td>';
+	      $prevattempts.='<td>'.&HTML::Entities::encode($value, '"<>&').'&nbsp;</td>';
           }
       }
       $prevattempts.= &end_data_table_row().&end_data_table();