fix: HTML + mustache interpolations not escaped properly

2017-06-01 20:15:02 -04:00
parent f1a516da03
commit 4632330d7c
5 changed files with 21 additions and 21 deletions
--- a/server/libs/markdown.js
+++ b/server/libs/markdown.js
@@ -25,10 +25,10 @@ var mkdown = md({
      try {
        return '<pre class="hljs"><code>' + hljs.highlight(lang, str, true).value + '</code></pre>'
      } catch (err) {
-        return '<pre><code>' + str + '</code></pre>'
+        return '<pre><code>' + _.escape(str) + '</code></pre>'
      }
    }
-    return '<pre><code>' + str + '</code></pre>'
+    return '<pre><code>' + _.escape(str) + '</code></pre>'
  }
 })
  .use(mdEmoji)