From 637e98b75e71e3ba16f2de5c98e2dea8f6ef62a8 Mon Sep 17 00:00:00 2001 From: cel Date: Thu, 19 Mar 2020 17:41:17 -0400 Subject: advsearch: html escape --- lib/serve.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/serve.js b/lib/serve.js index 4089635..29a6350 100644 --- a/lib/serve.js +++ b/lib/serve.js @@ -702,25 +702,25 @@ Serve.prototype.advsearch = function (ext) { ph('td', 'text'), ph('td', ph('input', {name: 'text', placeholder: 'regex', class: 'id-input', - value: q.text || ''})) + value: u.escapeHTML(q.text)})) ]), ph('tr', [ ph('td', 'author'), ph('td', ph('input', {name: 'source', placeholder: '@id', class: 'id-input', - value: q.source || ''})) + value: q.escapeHTML(q.source)})) ]), ph('tr', [ ph('td', 'mentions'), ph('td', ph('input', {name: 'dest', placeholder: 'id', class: 'id-input', - value: q.dest || ''})) + value: u.escapeHTML(q.dest)})) ]), ph('tr', [ ph('td', 'channel'), ph('td', ['#', ph('input', {name: 'channel', placeholder: 'channel', class: 'id-input', - value: q.channel || ''}) + value: u.escapeHTML(q.channel)}) ]) ]), ph('tr', [ -- cgit v1.2.3