Different approach to fix XSS in issue2550817 Encapsulate the error/ok message append method as add_ok_message and add_error_message. The new approach escapes the messages when appending -- at a point in the code where we still know where the message comes from. Escaping is the default but can bei turned off. This also fixes issue2550836 where certain messages may contain links. Another advantage of the new fix is that users don't need to change installed trackers and are secure by default.

Docs
====

.. toctree::
   :maxdepth: 2

   docs/features
   docs/installation
   docs/upgrading
   docs/FAQ
   docs/user_guide
   docs/customizing
   docs/admin_guide
   docs/xmlrpc
   Design (original) <docs/design>
   docs/developers
   docs/tracker_templates
   docs/acknowledgements
   docs/license