From 2bbcc8432efd8536fee8f93d7f18e8bfc4d775a7 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@gmail.com>
Date: Wed, 11 Apr 2018 13:52:37 +0200
Subject: fix(render): Escape thread titles in index

---
 src/render.rs | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'src/render.rs')

diff --git a/src/render.rs b/src/render.rs
index fee897f281..4087dd45dd 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -29,12 +29,30 @@ impl Message for IndexPage {
     type Result = Result<String>;
 }
 
+#[derive(Debug, Serialize)]
+struct IndexThread {
+    id: i32,
+    title: String,
+    posted: DateTime<Utc>,
+    author_name: String,
+}
+
 impl Handler<IndexPage> for Renderer {
     type Result = Result<String>;
 
     fn handle(&mut self, msg: IndexPage, _: &mut Self::Context) -> Self::Result {
+        let threads: Vec<IndexThread> = msg.threads
+            .into_iter()
+            .map(|thread| IndexThread {
+                id: thread.id,
+                title: escape_html(&thread.title),
+                posted: thread.posted,
+                author_name: thread.author_name,
+            })
+            .collect();
+
         let mut ctx = Context::new();
-        ctx.add("threads", &msg.threads);
+        ctx.add("threads", &threads);
         Ok(self.tera.render("index.html", &ctx)?)
     }
 }
-- 
cgit 1.4.1