From 95679599de538a4833dd873f0630e5819b60db10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabriel=20P=C3=A9rez-Cerezo?= <gabriel@gpcf.eu>
Date: Fri, 6 Jul 2018 23:21:49 +0200
Subject: prevent html injection

---
 templates/bug.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'templates/bug.html')

diff --git a/templates/bug.html b/templates/bug.html
index 7f58780..fc891fa 100644
--- a/templates/bug.html
+++ b/templates/bug.html
@@ -11,17 +11,17 @@
     <h1><a href="/"> Hemiptera Bugtracker at {{DOMAIN}}</a></h1>
     <h2><a href="/{{prname}}" >{{prname}}</a></h2>
     <h3 class="subject" >
-      {{ replies[0]["Subject"] }}
+      {{ replies[0]["Subject"]|e }}
     </h3>
     Send replies to <a href="mailto:{{ bug.id }}@{{ DOMAIN }}" >{{ bug.id }}@{{ DOMAIN }}</a>
   </header>
   {% for i in replies %}
   <div class="container">
   <div class="date {% if i["From"] == replies[0]["From"] %}op{% endif %}{% if i["From"] in devs %}dev{% endif %}">
-    <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] }}
+    <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] |e}}
   </div>
   <div class="reply">
-<p>{{ i.get_body("plain").get_content().replace("\n", "</p><p>") }}</p>
+<p>{{ i.get_body("plain").get_content()|e|replace("\n", "</p><p>") }}</p>
   </div>
   </div>
   {% endfor %}
@@ -30,7 +30,7 @@
     <div class="status-header date">
       <img class="avatar" src="/static/excl.png" alt="avatar" />
       <b>Status Update</b> <br>
-      {{ bug.closeddate }}
+      {{ bug.closeddate|e}}
     </div>
     <div class="status-message reply">
       <i>This bug was closed.</i>
-- 
cgit v1.2.3