From d83eda6fd4fc74d5bedb1ca860c1015e7e0d3732 Mon Sep 17 00:00:00 2001
From: Florent Le Coz <louiz@louiz.org>
Date: Tue, 8 Nov 2011 02:07:40 +0100
Subject: escape <, > and & in xhtml-im bodies.

---
 src/xhtml.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/xhtml.py')

diff --git a/src/xhtml.py b/src/xhtml.py
index 5eda635b..44195f90 100644
--- a/src/xhtml.py
+++ b/src/xhtml.py
@@ -16,7 +16,11 @@ import re
 import subprocess
 import curses
 from sleekxmpp.xmlstream import ET
+
+import xml.sax.saxutils
+
 from xml.etree.ElementTree import ElementTree
+
 from sys import version_info
 
 from config import config
@@ -401,7 +405,7 @@ def poezio_colors_to_html(string):
     while next_attr_char != -1:
         attr_char = string[next_attr_char+1].lower()
         if next_attr_char != 0:
-            res += string[:next_attr_char]
+            res += xml.sax.saxutils.escape(string[:next_attr_char])
         if attr_char == 'o':
             for elem in opened_elements[::-1]:
                 res += '</%s>' % (elem,)
@@ -425,7 +429,7 @@ def poezio_colors_to_html(string):
         else:
             string = string[next_attr_char+2:]
         next_attr_char = string.find('\x19')
-    res += string
+    res += xml.sax.saxutils.escape(string)
     for elem in opened_elements[::-1]:
         res += '</%s>' % (elem,)
     res += "</p></body>"
-- 
cgit v1.2.3