From 271dcb7a6501ae402344ea6685c7313f49e645d5 Mon Sep 17 00:00:00 2001
From: czaks <marcin@6irc.net>
Date: Thu, 23 Apr 2015 03:45:08 +0200
Subject: [PATCH] fileboard: fix possible XSS (mainly applicable to 8chan)

---
 templates/post_form.html             | 2 +-
 templates/post_thread_fileboard.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/post_form.html b/templates/post_form.html
index ea3ac765..0e0d3fed 100644
--- a/templates/post_form.html
+++ b/templates/post_form.html
@@ -98,7 +98,7 @@
 				<td>
 					<select name="tag">
 						{% for id, tag in config.allowed_tags %}
-							<option value="{{ id }}">{{ tag }}</option>
+							<option value="{{ id|e }}">{{ tag|e }}</option>
 						{% endfor %}
 					</select>
 				</td>
diff --git a/templates/post_thread_fileboard.html b/templates/post_thread_fileboard.html
index 983bfe17..1a11ff79 100644
--- a/templates/post_thread_fileboard.html
+++ b/templates/post_thread_fileboard.html
@@ -9,7 +9,7 @@
 <td>{% include 'post/name.html' %}
     {% include 'post/flag.html' %}
 <td>[<a href="{{ config.uri_img }}{{ post.files[0].file }}">{{ post.files[0].filename|e|bidi_cleanup }}</a>]
-<td>{% if post.modifiers['tag'] %}[{{ post.modifiers['tag'] }}]{% endif %}
+<td>{% if post.modifiers['tag'] %}[{{ post.modifiers['tag']|e }}]{% endif %}
 <td>{% include 'post/subject.html' %}
 	{% if post.sticky %}
 		{% if config.font_awesome %}