Escape draft edit URL

author: cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> 2019-03-11 16:47:41 -1000
committer: cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> 2019-03-11 23:11:27 -1000
commit: eba01998e1a0d9172feb30fca0e73c74f4009582 (patch)
tree: f6b021e803f936bf7f7701bff206e8993d658754 /lib/serve.js
parent: 0bbc1ad05874c1e6a7c694bd36d6d8882be57011 (diff)
download: patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.tar.gz
patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/serve.js b/lib/serve.js
index 9ef292a..0410a92 100644
--- a/lib/serve.js
+++ b/lib/serve.js
@@ -4271,7 +4271,7 @@ Serve.prototype.drafts = function (path) {
               + (form.composer_id ? '#' + encodeURIComponent(form.composer_id) : '')
             cb(null, ph('div', [
               ph('table', ph('tr', [
-                ph('td', ph('form', {method: 'post', action: composerUrl}, [
+                ph('td', ph('form', {method: 'post', action: u.escapeHTML(composerUrl)}, [
                   hiddenInput('draft_id', id),
                   hiddenInput('restored_draft', '1'),
                   Object.keys(form).map(function (key) {
author	cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519>	2019-03-11 16:47:41 -1000
committer	cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519>	2019-03-11 23:11:27 -1000
commit	eba01998e1a0d9172feb30fca0e73c74f4009582 (patch)
tree	f6b021e803f936bf7f7701bff206e8993d658754 /lib/serve.js
parent	0bbc1ad05874c1e6a7c694bd36d6d8882be57011 (diff)
download	patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.tar.gz patchfoo-eba01998e1a0d9172feb30fca0e73c74f4009582.zip