auch ids müssen in der Multibox escaped werden.

[kivitendo-erp.git] / templates / webpages / generic / multibox.html

diff --git a/templates/webpages/generic/multibox.html b/templates/webpages/generic/multibox.html
index 7225b03..ccb87cb 100644 (file)
--- a/templates/webpages/generic/multibox.html
+++ b/templates/webpages/generic/multibox.html
@@ -62,7 +62,7 @@
   <option value=""></option>
   [%- END %]
   [%- FOREACH row = DATA %]
-  <option value="[% row.id %]"[% IF row.selected %] selected[% END %]>[% HTML.escape(row.label) %]</option>
+  <option value="[% row.id | html %]"[% IF row.selected %] selected[% END %]>[% HTML.escape(row.label) %]</option>
   [%- END %]
 </select>
 [%- END %]