diff options
author | Vincent Ambo <tazjin@gmail.com> | 2018-04-14T20·30+0200 |
---|---|---|
committer | Vincent Ambo <tazjin@gmail.com> | 2018-04-14T20·33+0200 |
commit | e0b1bc2627d65a759003842c4dc508e9f842da35 (patch) | |
tree | 37f54666b120e3a3891d945eccefc476d04d52de /src | |
parent | 8057b8849e1f4e53d0731c75da16bfdbc32fc602 (diff) |
fix(render): Escape post bodies
... derp. Well, the CSP prevented script executions already.
Diffstat (limited to 'src')
-rw-r--r-- | src/render.rs | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/render.rs b/src/render.rs index 537cab59daef..3254d480b5d2 100644 --- a/src/render.rs +++ b/src/render.rs @@ -120,9 +120,10 @@ fn md5_hex(input: &[u8]) -> String { fn prepare_thread(comrak: &ComrakOptions, page: ThreadPage) -> RenderableThreadPage { let posts = page.posts.into_iter().map(|post| { + let escaped_body = escape_html(&post.body); RenderablePost { id: post.id, - body: markdown_to_html(&post.body, comrak), + body: markdown_to_html(&escaped_body, comrak), posted: post.posted.into(), author_name: post.author_name, author_gravatar: md5_hex(post.author_email.as_bytes()), |