Index: openacs-4/packages/acs-templating/tcl/util-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/util-procs.tcl,v
diff -u -r1.20.2.3 -r1.20.2.4
--- openacs-4/packages/acs-templating/tcl/util-procs.tcl	16 Sep 2005 10:49:57 -0000	1.20.2.3
+++ openacs-4/packages/acs-templating/tcl/util-procs.tcl	17 Sep 2005 06:22:36 -0000	1.20.2.4
@@ -732,13 +732,15 @@
 }
 
 ad_proc -public template::util::tcl_to_sql_list { lst } {
-    Convert a TCL list to a SQL list, for use with the "in" statement
-    why doesn't this use ns_dbquotevalue?
+    Convert a TCL list to a SQL list, for use with the "in" statement.
+    Uses DoubleApos (similar to ns_dbquotevalue) functionality to escape single quotes
 } {
 
     if { [llength $lst] > 0 } {
+        # regsub adds DoubleApos functionality for security reasons.
+        regsub -all -- ' "$lst" '' lst2
         set sql "'"
-        append sql [join $lst "', '"]
+        append sql [join $lst2 "', '"]
         append sql "'"
         return $sql
     } else {