From 4f85b7c57054e6af8eee4c2d9fbb5cf08c1e7aea Mon Sep 17 00:00:00 2001
From: antedeguemon <vammerlo@inf.ufrgs.br>
Date: Sun, 21 May 2017 17:08:43 -0300
Subject: [PATCH] Fixed XSS in post edit page and modsearch

---
 templates/mod/edit_post_form.html | 4 ++--
 templates/mod/search_results.html | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/mod/edit_post_form.html b/templates/mod/edit_post_form.html
index a2980d35..7f8d4b1e 100644
--- a/templates/mod/edit_post_form.html
+++ b/templates/mod/edit_post_form.html
@@ -7,7 +7,7 @@
 				{% trans %}Name{% endtrans %}
 			</th>
 			<td>
-				<input type="text" name="name" size="25" maxlength="35" autocomplete="off" value="{{ post.name }}">
+				<input type="text" name="name" size="25" maxlength="35" autocomplete="off" value="{{ post.name|e }}">
 			</td>
 		</tr>
 		<tr>
@@ -23,7 +23,7 @@
 				{% trans %}Subject{% endtrans %}
 			</th>
 			<td>
-				<input style="float:left;" type="text" name="subject" size="25" maxlength="100" autocomplete="off" value="{{ post.subject }}">
+				<input style="float:left;" type="text" name="subject" size="25" maxlength="100" autocomplete="off" value="{{ post.subject|e }}">
 				<input accesskey="s" style="margin-left:2px;" type="submit" name="post" value="{% trans %}Update{% endtrans %}">
 			</td>
 		</tr>
diff --git a/templates/mod/search_results.html b/templates/mod/search_results.html
index 186ee5db..abaad703 100644
--- a/templates/mod/search_results.html
+++ b/templates/mod/search_results.html
@@ -224,7 +224,7 @@
 							<a class="email" href="mailto:{{ post.email }}">
 						{% endif %}
 						{% set capcode = post.capcode|capcode %}
-						<span {% if capcode.name %}style="{{ capcode.name }}" {% endif %}class="name">{{ post.name }}</span>
+						<span {% if capcode.name %}style="{{ capcode.name }}" {% endif %}class="name">{{ post.name|e }}</span>
 						{% if post.trip|length > 0 %}
 							<span {% if capcode.trip %}style="{{ capcode.trip }}" {% endif %}class="trip">{{ post.trip }}</span>
 						{% endif %}
@@ -239,7 +239,7 @@
 				</td>
 				<td style="max-width:250px">
 					{% if post.subject %}
-						<small>{{ post.subject }}</small>
+						<small>{{ post.subject|e }}</small>
 					{% else %}
 						&ndash;
 					{% endif %}