fix(render): Escape thread titles in index

author: Vincent Ambo <tazjin@gmail.com> 2018-04-11T11·52+0200
committer: Vincent Ambo <tazjin@gmail.com> 2018-04-11T11·52+0200
commit: 2bbcc8432efd8536fee8f93d7f18e8bfc4d775a7 (patch)
tree: 003b97b62509a331e6a0f322cda5fb923583064f /src/render.rs
parent: 87237f5c28f177830808aeb4710f72d31f14c045 (diff)
1 files changed, 19 insertions, 1 deletions
diff --git a/src/render.rs b/src/render.rs
index fee897f281fb..4087dd45dd6b 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -29,12 +29,30 @@ impl Message for IndexPage {
     type Result = Result<String>;
 }
 
+#[derive(Debug, Serialize)]
+struct IndexThread {
+    id: i32,
+    title: String,
+    posted: DateTime<Utc>,
+    author_name: String,
+}
+
 impl Handler<IndexPage> for Renderer {
     type Result = Result<String>;
 
     fn handle(&mut self, msg: IndexPage, _: &mut Self::Context) -> Self::Result {
+        let threads: Vec<IndexThread> = msg.threads
+            .into_iter()
+            .map(|thread| IndexThread {
+                id: thread.id,
+                title: escape_html(&thread.title),
+                posted: thread.posted,
+                author_name: thread.author_name,
+            })
+            .collect();
+
         let mut ctx = Context::new();
-        ctx.add("threads", &msg.threads);
+        ctx.add("threads", &threads);
         Ok(self.tera.render("index.html", &ctx)?)
     }
 }
author	Vincent Ambo <tazjin@gmail.com>	2018-04-11T11·52+0200
committer	Vincent Ambo <tazjin@gmail.com>	2018-04-11T11·52+0200
commit	2bbcc8432efd8536fee8f93d7f18e8bfc4d775a7 (patch)
tree	003b97b62509a331e6a0f322cda5fb923583064f /src/render.rs
parent	87237f5c28f177830808aeb4710f72d31f14c045 (diff)