From ef3c83b53a651af2d9d9f10feadee5795ca13cbf Mon Sep 17 00:00:00 2001
From: 8chan <admin@8chan.co>
Date: Fri, 23 Jan 2015 02:29:55 -0800
Subject: [PATCH] SECURITY / XSS : Stop XSS in post subjects displayed in
 catalog

git blame says czaks forgot an |e in catalog.html, this means that anyone posting a new thread with HTML in the subject field or name field can arbitrarily insert it into the page.
---
 templates/themes/catalog/catalog.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/themes/catalog/catalog.html b/templates/themes/catalog/catalog.html
index 446e2304..82383364 100644
--- a/templates/themes/catalog/catalog.html
+++ b/templates/themes/catalog/catalog.html
@@ -46,14 +46,14 @@
 						{% else %}
 							<img src="{{post.file}}" 
 						{% endif %}
-                                                 id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject }}{% endif %}" data-name="{{ post.name }}" data-muhdifference="{{ post.muhdifference }}" data-last-reply="{% if post.last_reply %}{{ post.last_reply }}{% endif %}" data-last-subject="{% if post.last_reply_subject %}{{ post.last_reply_subject }}{% endif %}" data-last-name="{% if post.last_reply %}{{ post.last_reply_name }}{% endif %}" data-last-difference="{% if post.last_reply %}{{ post.last_reply_difference }}{% endif %}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
+                                                 id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
                                         </a>
                                                 <div class="replies">
                                                         <strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong>
                                                         {% if post.subject %}
 								<p class="intro">
 									<span class="subject">
-										{{ post.subject }}
+										{{ post.subject|e }}
 									</span>
 								</p>
 							{% else %}