From 98399c91dd86682077cf9542badbf1658fd9a8c1 Mon Sep 17 00:00:00 2001
From: Remco <remco@dutchcoders.io>
Date: Fri, 19 Feb 2016 10:40:26 +0100
Subject: [PATCH] fixed xss issue in text preview

* reported by Tim / polym
---
 transfersh-server/handlers.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/transfersh-server/handlers.go b/transfersh-server/handlers.go
index 053b6ad..cc9b437 100644
--- a/transfersh-server/handlers.go
+++ b/transfersh-server/handlers.go
@@ -34,6 +34,7 @@ import (
 	"compress/gzip"
 	"errors"
 	"fmt"
+	"html"
 	html_template "html/template"
 	"io"
 	"io/ioutil"
@@ -102,7 +103,7 @@ func previewHandler(w http.ResponseWriter, r *http.Request) {
 			output := blackfriday.MarkdownCommon(data)
 			content = html_template.HTML(output)
 		} else if strings.HasPrefix(contentType, "text/plain") {
-			content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data))
+			content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
 		} else {
 			templatePath = "download.sandbox.html"
 		}