From a550c63f9c896ddba236d9136998a858c233b492 Mon Sep 17 00:00:00 2001
From: 8chan <admin@8chan.co>
Date: Fri, 23 Jan 2015 02:29:55 -0800
Subject: [PATCH] SECURITY / XSS : Stop XSS in post subjects displayed in
 catalog

git blame says czaks forgot an |e in catalog.html, this means that anyone posting a new thread with HTML in the subject field or name field can arbitrarily insert it into the page.

Conflicts:
	templates/themes/catalog/catalog.html
---
 templates/themes/catalog/catalog.html | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/templates/themes/catalog/catalog.html b/templates/themes/catalog/catalog.html
index 72cb8698..aef6c139 100644
--- a/templates/themes/catalog/catalog.html
+++ b/templates/themes/catalog/catalog.html
@@ -52,14 +52,22 @@
 						{% else %}
 							<img src="{{post.file}}" 
 						{% endif %}
-                                                 id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject }}{% endif %}" data-name="{{ post.name }}" data-muhdifference="{{ post.muhdifference }}" data-last-reply="{% if post.last_reply %}{{ post.last_reply }}{% endif %}" data-last-subject="{% if post.last_reply_subject %}{{ post.last_reply_subject }}{% endif %}" data-last-name="{% if post.last_reply %}{{ post.last_reply_name }}{% endif %}" data-last-difference="{% if post.last_reply %}{{ post.last_reply_difference }}{% endif %}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
+                                                 id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
                                         </a>
-                                        <p>
-                                                <span class="replies">
-                                                        <strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong><br/>
-                                                        {{ post.body }}
-                                                </span>
-                                        </p>
+                                                <div class="replies">
+                                                        <strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong>
+                                                        {% if post.subject %}
+								<p class="intro">
+									<span class="subject">
+										{{ post.subject|e }}
+									</span>
+								</p>
+							{% else %}
+								<br />
+							{% endif %}
+
+								{{ post.body }}
+                                                </div>
                                 </div>
                         </li>
                 {% endfor %}