Index: openacs-4/packages/acs-templating/tcl/util-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/util-procs.tcl,v
diff -u -r1.20 -r1.21
--- openacs-4/packages/acs-templating/tcl/util-procs.tcl	31 Jan 2005 21:03:19 -0000	1.20
+++ openacs-4/packages/acs-templating/tcl/util-procs.tcl	17 Sep 2005 06:07:18 -0000	1.21
@@ -733,12 +733,14 @@
 
 ad_proc -public template::util::tcl_to_sql_list { lst } {
     Convert a TCL list to a SQL list, for use with the "in" statement
-    why doesn't this use ns_dbquotevalue?
+    This functions uses DoubleApos (similar to ns_dbquotevalue) functionality to escape single quotes
 } {
 
   if { [llength $lst] > 0 } {
+    # adding DoubleApos functionality for security reasons.
+    regsub -all -- ' "$lst" '' lst2
     set sql "'"
-    append sql [join $lst "', '"]
+    append sql [join $lst2 "', '"]
     append sql "'"
     return $sql
   } else {
Index: openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl,v
diff -u -r1.2 -r1.3
--- openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl	13 Jan 2005 13:56:01 -0000	1.2
+++ openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl	17 Sep 2005 06:07:19 -0000	1.3
@@ -49,4 +49,14 @@
             
             
         }
-}
\ No newline at end of file
+}
+
+aa_register_case -cats {api smoke} tcl_to_sql_list {
+    Tests the tcl_to_sql_list proc.
+
+    @author Torben Brosten
+} {
+    aa_equals "parses list of 0 items" [template::util::tcl_to_sql_list [list]] ""
+    aa_equals "parses list of 2 or more" [template::util::tcl_to_sql_list [list isn't hess' 'bit 'trippy']] "'isn''t', 'hess''', '''bit', '''trippy'''"
+
+}