Provisional workaround to sanitize rating comments

sagenb/flask_version/worksheet.py

@@ -1,7 +1,7 @@
 import re
 import os, threading, collections
 from functools import wraps
-from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app
+from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app, escape
 from decorators import login_required, with_lock
 from collections import defaultdict
 from werkzeug.utils import secure_filename
@@ -920,7 +920,7 @@ def worksheet_rate(worksheet):
         return current_app.message(_("Gees -- You can't fool the rating system that easily!"),
                           url_for_worksheet(worksheet))
 
-    comment = request.values['comment']
+    comment = str(escape(request.values['comment']))
     worksheet.rate(rating, comment, g.username)
     s = _("""
     Thank you for rating the worksheet <b><i>%(worksheet_name)s</i></b>!