escape version string to prevent XSS for sure

* HTML escape the remotely retrieved version string printed to the HTML in order
  to prevent and attacks (if this would have been possible at all in 12
  characters).

The version string read from the davical.org webserver might be changed by an
attacker in order to perform XSS.
Even though this is highly unlikley (there are only 12 characters used) it's
better to HTML escape any such string that is printed to HTML.

This was originally reported at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290

ChangeLog

@@ -2,6 +2,9 @@
 	* Changed the end-of-line encodings of all non-Windows-related and 
 	  non-autogenerated text files to use UNIX LF (lots of them had mixed
 	  LF/CRLF).
+	* HTML escape the remotely retrieved version string printed to the HTML
+	  in order to prevent and attacks (if this would have been possible at
+	  all in 12 characters).
 
 2013-03-06  Andrew McMillan  <andrew@morphoss.com>
 	* Fix capitalisation of 'plpgsql' & 'sql' for Postgres 9.2. (debbug #702403)

debian/changelog

@@ -1,6 +1,6 @@
 davical (1.1.2-1) unstable; urgency=low
 
-  * New upstream release (closes:#702403)
+  * New upstream release (closes:#702403, #703290)
 
  -- Andrew McMillan <awm@debian.org>  Wed, 01 May 2013 10:05:33 +1200
 

htdocs/setup.php

@@ -252,7 +252,7 @@ function check_davical_version() {
   $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
   $version_file = @fopen($url, 'r');
   if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
   fclose($version_file);
   $result = new CheckResult($c->version_string == $current_version);
   if ( ! $result->getOK() ) {