From 95679599de538a4833dd873f0630e5819b60db10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabriel=20P=C3=A9rez-Cerezo?= <gabriel@gpcf.eu>
Date: Fri, 6 Jul 2018 23:21:49 +0200
Subject: prevent html injection

---
 templates/bug.html     | 8 ++++----
 templates/buglist.html | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/bug.html b/templates/bug.html
index 7f58780..fc891fa 100644
--- a/templates/bug.html
+++ b/templates/bug.html
@@ -11,17 +11,17 @@
     <h1><a href="/"> Hemiptera Bugtracker at {{DOMAIN}}</a></h1>
     <h2><a href="/{{prname}}" >{{prname}}</a></h2>
     <h3 class="subject" >
-      {{ replies[0]["Subject"] }}
+      {{ replies[0]["Subject"]|e }}
     </h3>
     Send replies to <a href="mailto:{{ bug.id }}@{{ DOMAIN }}" >{{ bug.id }}@{{ DOMAIN }}</a>
   </header>
   {% for i in replies %}
   <div class="container">
   <div class="date {% if i["From"] == replies[0]["From"] %}op{% endif %}{% if i["From"] in devs %}dev{% endif %}">
-    <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] }}
+    <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] |e}}
   </div>
   <div class="reply">
-<p>{{ i.get_body("plain").get_content().replace("\n", "</p><p>") }}</p>
+<p>{{ i.get_body("plain").get_content()|e|replace("\n", "</p><p>") }}</p>
   </div>
   </div>
   {% endfor %}
@@ -30,7 +30,7 @@
     <div class="status-header date">
       <img class="avatar" src="/static/excl.png" alt="avatar" />
       <b>Status Update</b> <br>
-      {{ bug.closeddate }}
+      {{ bug.closeddate|e}}
     </div>
     <div class="status-message reply">
       <i>This bug was closed.</i>
diff --git a/templates/buglist.html b/templates/buglist.html
index 3e69108..142dc69 100644
--- a/templates/buglist.html
+++ b/templates/buglist.html
@@ -29,12 +29,12 @@
       <td>
 	{{ i.id }}
       <td>
-	<a href="/{{ prname }}/{{ i.id }}.html"> {{ i.subject }}</a>
+	<a href="/{{ prname }}/{{ i.id }}.html"> {{ i.subject|e }}</a>
       <td>
 	{{ i.replies }}
-      <td title="{{ i.created }}">
+      <td title="{{ i.created|e }}">
 	{{ i.nicecreated }}
-      <td title="{{ i.last_reply }}">
+      <td title="{{ i.last_reply|e }}">
 	{{ i.nicereply }}
       <td>
 	{% if i.closed %}
-- 
cgit v1.2.3