From: Michael J Rubinsky <mrubinsk@horde.org>
Date: Mon, 14 Dec 2015 09:27:09 -0500
Subject: Escape form value.

Even though this is a numeric field, this isn't enforced until
the form is submitted.

(Adapted from upstream 11d74fa5a22fe626c5e5a010b703cd46a136f253)

diff --git a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
index 62ae559..580dc27 100644
--- a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
+++ b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php
@@ -48,7 +48,7 @@ class Horde_Core_Ui_VarRenderer_Html extends Horde_Core_Ui_VarRenderer
         return sprintf('<input type="text" size="5" name="%s" id="%s" value="%s"%s />',
                        htmlspecialchars($var->getVarName()),
                        $this->_genID($var->getVarName(), false),
-                       $value,
+                       htmlspecialchars($value),
                        $this->_getActionScripts($form, $var)
                );
     }
-- 
2.7.0