Index: openacs-4/packages/acs-templating/tcl/util-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/util-procs.tcl,v
diff -u -r1.20 -r1.21
--- openacs-4/packages/acs-templating/tcl/util-procs.tcl	31 Jan 2005 21:03:19 -0000	1.20
+++ openacs-4/packages/acs-templating/tcl/util-procs.tcl	17 Sep 2005 06:07:18 -0000	1.21
@@ -733,12 +733,14 @@
 
 ad_proc -public template::util::tcl_to_sql_list { lst } {
     Convert a TCL list to a SQL list, for use with the "in" statement
-    why doesn't this use ns_dbquotevalue?
+    This functions uses DoubleApos (similar to ns_dbquotevalue) functionality to escape single quotes
 } {
 
   if { [llength $lst] > 0 } {
+    # adding DoubleApos functionality for security reasons.
+    regsub -all -- ' "$lst" '' lst2
     set sql "'"
-    append sql [join $lst "', '"]
+    append sql [join $lst2 "', '"]
     append sql "'"
     return $sql
   } else {