Index: openacs-4/packages/acs-templating/tcl/util-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/util-procs.tcl,v
diff -u -N -r1.20.2.3 -r1.20.2.4
--- openacs-4/packages/acs-templating/tcl/util-procs.tcl	16 Sep 2005 10:49:57 -0000	1.20.2.3
+++ openacs-4/packages/acs-templating/tcl/util-procs.tcl	17 Sep 2005 06:22:36 -0000	1.20.2.4
@@ -732,13 +732,15 @@
 }
 
 ad_proc -public template::util::tcl_to_sql_list { lst } {
-    Convert a TCL list to a SQL list, for use with the "in" statement
-    why doesn't this use ns_dbquotevalue?
+    Convert a TCL list to a SQL list, for use with the "in" statement.
+    Uses DoubleApos (similar to ns_dbquotevalue) functionality to escape single quotes
 } {
 
     if { [llength $lst] > 0 } {
+        # regsub adds DoubleApos functionality for security reasons.
+        regsub -all -- ' "$lst" '' lst2
         set sql "'"
-        append sql [join $lst "', '"]
+        append sql [join $lst2 "', '"]
         append sql "'"
         return $sql
     } else {
Index: openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl,v
diff -u -N -r1.2.2.2 -r1.2.2.3
--- openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl	16 Sep 2005 09:46:34 -0000	1.2.2.2
+++ openacs-4/packages/acs-templating/tcl/test/parse-test-procs.tcl	17 Sep 2005 06:22:37 -0000	1.2.2.3
@@ -51,3 +51,13 @@
         }
 }
 
+
+aa_register_case -cats {api smoke} tcl_to_sql_list {
+    Tests the tcl_to_sql_list proc.
+
+    @author Torben Brosten
+} {
+    aa_equals "parses list of 0 items" [template::util::tcl_to_sql_list [list]] ""
+    aa_equals "parses list of 2 or more" [template::util::tcl_to_sql_list [list isn't hess' 'bit 'trippy']] "'isn''t', 'hess''', '''bit', '''trippy'''"
+
+}