fix: HTML + mustache interpolations not escaped properly

server/libs/markdown.js

@@ -25,10 +25,10 @@ var mkdown = md({
       try {
         return '<pre class="hljs"><code>' + hljs.highlight(lang, str, true).value + '</code></pre>'
       } catch (err) {
-        return '<pre><code>' + str + '</code></pre>'
+        return '<pre><code>' + _.escape(str) + '</code></pre>'
       }
     }
-    return '<pre><code>' + str + '</code></pre>'
+    return '<pre><code>' + _.escape(str) + '</code></pre>'
   }
 })
   .use(mdEmoji)

server/locales/en/common.json

@@ -17,25 +17,26 @@
   },
   "nav": {
     "account": "Account",
-    "settings": "Settings",
+    "allpages": "All Pages",
+    "create": "Create",
+    "discard": "Discard",
+    "edit": "Edit",
+    "history": "History",
+    "home": "Home",
+    "login": "Login",
+    "logout": "Logout",
+    "move": "Move",
     "myprofile": "My Profile",
+    "normalview": "Normal View",
+    "savechanges": "Save Changes",
+    "savedocument": "Save Document",
+    "settings": "Settings",
+    "source": "Source",
     "stats": "Stats",
     "syssettings": "System Settings",
     "theme": "Color Theme",
     "users": "Users",
-    "logout": "Logout",
+    "viewlatest": "View Latest"
-    "create": "Create",
-    "edit": "Edit",
-    "history": "History",
-    "source": "Source",
-    "move": "Move",
-    "allpages": "All Pages",
-    "login": "Login",
-    "normalview": "Normal View",
-    "viewlatest": "View Latest",
-    "discard": "Discard",
-    "savechanges": "Save Changes",
-    "savedocument": "Save Document"
   },
   "welcome": {
     "title": "Welcome to your wiki!",

server/views/pages/create.pug

@@ -16,7 +16,7 @@ block rootNavRight
 block content
   editor(inline-template, current-path=pageData.meta.path, v-cloak)
     .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown
 
   editor-video
   editor-codeblock

server/views/pages/edit.pug

@@ -16,7 +16,7 @@ block rootNavRight
 block content
   editor(inline-template, current-path=pageData.meta.path, v-cloak)
     .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown
 
   editor-video
   editor-codeblock

server/views/pages/view.pug

@@ -73,12 +73,11 @@ block content
               +tocMenu(pageData.tree)
 
         .column
-
           .hero
             h1.title#title= pageData.meta.title
             if pageData.meta.subtitle
               h2.subtitle= pageData.meta.subtitle
-          .content.mkcontent
+          .content.mkcontent(v-pre)
             != pageData.html
 
   modal-create-page(basepath=pageData.meta.path)