about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@gmail.com>2018-04-14T20·30+0200
committerVincent Ambo <tazjin@gmail.com>2018-04-14T20·33+0200
commite0b1bc2627d65a759003842c4dc508e9f842da35 (patch)
tree37f54666b120e3a3891d945eccefc476d04d52de
parent8057b8849e1f4e53d0731c75da16bfdbc32fc602 (diff)
fix(render): Escape post bodies
... derp.

Well, the CSP prevented script executions already.
-rw-r--r--src/render.rs3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/render.rs b/src/render.rs
index 537cab59daef..3254d480b5d2 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -120,9 +120,10 @@ fn md5_hex(input: &[u8]) -> String {
 
 fn prepare_thread(comrak: &ComrakOptions, page: ThreadPage) -> RenderableThreadPage {
     let posts = page.posts.into_iter().map(|post| {
+        let escaped_body = escape_html(&post.body);
         RenderablePost {
             id: post.id,
-            body: markdown_to_html(&post.body, comrak),
+            body: markdown_to_html(&escaped_body, comrak),
             posted: post.posted.into(),
             author_name: post.author_name,
             author_gravatar: md5_hex(post.author_email.as_bytes()),