From d4baaba35fae8247715e9cb3b03c81f460bd83f8 Mon Sep 17 00:00:00 2001
From: Andrea Spacca <andrea.spacca@gmail.com>
Date: Sun, 1 Jul 2018 14:53:28 +0200
Subject: [PATCH] Fix XSS in markdown preview

---
 server/handlers.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/handlers.go b/server/handlers.go
index 61791cf..6415edd 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -133,7 +133,8 @@ func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
 		}
 
 		if strings.HasPrefix(contentType, "text/x-markdown") || strings.HasPrefix(contentType, "text/markdown") {
-			output := blackfriday.MarkdownCommon(data)
+			escapedData := html.EscapeString(string(data))
+			output := blackfriday.MarkdownCommon([]byte(escapedData))
 			content = html_template.HTML(output)
 		} else if strings.HasPrefix(contentType, "text/plain") {
 			content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))