diff options
author | cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> | 2019-03-11 16:47:41 -1000 |
---|---|---|
committer | cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> | 2019-03-11 23:11:27 -1000 |
commit | eba01998e1a0d9172feb30fca0e73c74f4009582 (patch) | |
tree | f6b021e803f936bf7f7701bff206e8993d658754 | |
parent | 0bbc1ad05874c1e6a7c694bd36d6d8882be57011 (diff) | |
download | patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.tar.gz patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.zip |
Escape draft edit URL
-rw-r--r-- | lib/serve.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/serve.js b/lib/serve.js index 9ef292a..0410a92 100644 --- a/lib/serve.js +++ b/lib/serve.js @@ -4271,7 +4271,7 @@ Serve.prototype.drafts = function (path) { + (form.composer_id ? '#' + encodeURIComponent(form.composer_id) : '') cb(null, ph('div', [ ph('table', ph('tr', [ - ph('td', ph('form', {method: 'post', action: composerUrl}, [ + ph('td', ph('form', {method: 'post', action: u.escapeHTML(composerUrl)}, [ hiddenInput('draft_id', id), hiddenInput('restored_draft', '1'), Object.keys(form).map(function (key) { |