From 89859e45eaaa450710d4201b51ce2efef583c774 Mon Sep 17 00:00:00 2001
From: Leandro Lucarella <luca@llucax.com.ar>
Date: Wed, 6 Aug 2008 17:24:56 -0300
Subject: [PATCH 1/1] Properly translate HTML entities in user inputs when
 rendering

---
 blitiri.cgi | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/blitiri.cgi b/blitiri.cgi
index 75e1a0c..4552ed1 100755
--- a/blitiri.cgi
+++ b/blitiri.cgi
@@ -202,7 +202,7 @@ div.section h1 {
 
 """
 
-# helper function
+# helper functions
 def rst_to_html(rst):
 	settings = {
 		'input_encoding': encoding,
@@ -212,6 +212,12 @@ def rst_to_html(rst):
 				writer_name = "html")
 	return parts['body'].encode('utf8')
 
+def sanitize(obj):
+	if isinstance(obj, basestring):
+		return cgi.escape(obj, True)
+	return obj
+
+
 # find out our URL, needed for syndication
 try:
 	n = os.environ['SERVER_NAME']
@@ -358,8 +364,8 @@ class Article (object):
 
 	def to_vars(self):
 		return {
-			'arttitle': self.title,
-			'author': self.author,
+			'arttitle': sanitize(self.title),
+			'author': sanitize(self.author),
 			'date': self.created.isoformat(' '),
 			'uuid': self.uuid,
 			'tags': self.get_tags_links(),
@@ -389,7 +395,7 @@ class Article (object):
 		tags.sort()
 		for t in tags:
 			l.append('<a class="tag" href="%s/tag/%s">%s</a>' % \
-				(blog_url, urllib.quote(t), t) )
+				(blog_url, urllib.quote(t), sanitize(t) ))
 		return ', '.join(l)
 
 
-- 
2.43.0