Index: tdiary.rb
===================================================================
--- tdiary.rb	19 Jul 2006 13:09:11 -0000	1.282
+++ tdiary.rb	26 Oct 2006 12:07:54 -0000
@@ -1510,7 +1510,7 @@
 
 		def initialize( cgi, rhtml, conf )
 			super
-			@key = @cgi.params['conf'][0]
+			@key = CGI::escapeHTML( @cgi.params['conf'][0] )
 		end
 	end
 
Index: skel/conf.rhtml
===================================================================
--- skel/conf.rhtml.orig	2005-09-16 13:15:54.000000000 +0900
+++ skel/conf.rhtml	2006-11-26 14:42:17.000000000 +0900
@@ -14,6 +14,6 @@
 <form class="conf" method="post" action="<%= @conf.update %>"><div>
 	<input type="hidden" name="conf" value="<%=@key%>">
 	<%=@csrf_protection%>
-	<%%=conf_proc( "#{@cgi.params['conf'][0]}" )%>
+	<%%=conf_proc( "<%=@key%>" )%>
 	<div><input type="submit" name="saveconf" value="OK"></div>
 </div></form>