From e0b1bc2627d65a759003842c4dc508e9f842da35 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@gmail.com>
Date: Sat, 14 Apr 2018 22:30:17 +0200
Subject: fix(render): Escape post bodies

... derp.

Well, the CSP prevented script executions already.
---
 src/render.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/render.rs b/src/render.rs
index 537cab59daef..3254d480b5d2 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -120,9 +120,10 @@ fn md5_hex(input: &[u8]) -> String {
 
 fn prepare_thread(comrak: &ComrakOptions, page: ThreadPage) -> RenderableThreadPage {
     let posts = page.posts.into_iter().map(|post| {
+        let escaped_body = escape_html(&post.body);
         RenderablePost {
             id: post.id,
-            body: markdown_to_html(&post.body, comrak),
+            body: markdown_to_html(&escaped_body, comrak),
             posted: post.posted.into(),
             author_name: post.author_name,
             author_gravatar: md5_hex(post.author_email.as_bytes()),
-- 
cgit 1.4.1