Index: openacs-4/packages/acs-templating/tcl/element-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/element-procs.tcl,v
diff -u -N -r1.37.2.7 -r1.37.2.8
--- openacs-4/packages/acs-templating/tcl/element-procs.tcl	19 Dec 2019 19:15:06 -0000	1.37.2.7
+++ openacs-4/packages/acs-templating/tcl/element-procs.tcl	19 Dec 2019 20:01:02 -0000	1.37.2.8
@@ -138,6 +138,8 @@
                           this element. This overrides the 'SpellcheckFormWidgets' parameter.
     
     @option noquote       A flag indicating that no value should not be quoted in a form.
+                          In addition, the nonquoted inform field is not transmitted as
+                          a hidden field (which can be attacked via noquote).
                           Currently only supported by the "inform" widget type.
 
     @option before_html   A chunk of HTML displayed immediately before the rendered element.
Index: openacs-4/packages/acs-templating/tcl/widget-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/widget-procs.tcl,v
diff -u -N -r1.63.2.8 -r1.63.2.9
--- openacs-4/packages/acs-templating/tcl/widget-procs.tcl	19 Dec 2019 19:15:06 -0000	1.63.2.8
+++ openacs-4/packages/acs-templating/tcl/widget-procs.tcl	19 Dec 2019 20:01:02 -0000	1.63.2.9
@@ -358,7 +358,7 @@
 
     if { [info exists element(value)] } {
         if { [info exists element(noquote)] } {
-            return "$element(value)[input hidden element $tag_attributes]"            
+            return "$element(value)"            
         } else {
             return "[ns_quotehtml $element(value)][input hidden element $tag_attributes]"
         }