From ab7e53fb6f0c7f5b08bc1d1cbf745311971b185c Mon Sep 17 00:00:00 2001
From: marcokernler <kernler.marco@gmail.com>
Date: Tue, 20 Dec 2011 22:17:23 +0100
Subject: [PATCH] MINOR - Added escaping for values passed by url params

---
 code/UserDefinedForm.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code/UserDefinedForm.php b/code/UserDefinedForm.php
index 690b90f..11bfa73 100755
--- a/code/UserDefinedForm.php
+++ b/code/UserDefinedForm.php
@@ -407,7 +407,7 @@ class UserDefinedForm_Controller extends Page_Controller {
 				
 				// set the values passed by the url to the field
 				$request = $this->getRequest();
-				$value = $request->getVar($field->name);
+				$value = Convert::raw2att($request->getVar($field->name));
 				if(isset($value)) $field->value = $value;
 				
 				$fields->push($field);