From 23d47fa6d24db90275623cdd7d0ae113ce3e98fe Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Thu, 7 Nov 2024 00:33:42 +0000
Subject: [PATCH] Ensure content passed to the parse_text filter is escaped.

---
 templates/changelog/change.twig   | 2 +-
 templates/home/landing.twig       | 2 +-
 templates/manage/users/note.twig  | 2 +-
 templates/manage/users/notes.twig | 4 ++--
 templates/news/macros.twig        | 4 ++--
 templates/profile/index.twig      | 4 ++--
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/templates/changelog/change.twig b/templates/changelog/change.twig
index 27fe5ab..c74c392 100644
--- a/templates/changelog/change.twig
+++ b/templates/changelog/change.twig
@@ -60,7 +60,7 @@
             <h1>{{ title }}</h1>
 
             {% if change_info.hasBody %}
-                {{ change_info.body|parse_text(2)|raw }}
+                {{ change_info.body|escape|parse_text(2)|raw }}
             {% else %}
                 <p>This change has no additional notes.</p>
             {% endif %}
diff --git a/templates/home/landing.twig b/templates/home/landing.twig
index c4af728..9ffcef4 100644
--- a/templates/home/landing.twig
+++ b/templates/home/landing.twig
@@ -169,7 +169,7 @@
 {% for post in featured_news %}
             <div class="landingv2-news-post markdown">
                 <h1>{{ post.title }}</h1>
-                <p>{{ post.firstParagraph|parse_text(2)|raw }}</p>
+                <p>{{ post.firstParagraph|escape|parse_text(2)|raw }}</p>
                 <div class="landingv2-news-post-options">
                     <a href="{{ url('news-post', {'post': post.id}) }}" class="landingv2-news-post-option">Continue reading</a>
                     | <time datetime="{{ post.createdTime|date('c') }}" title="{{ post.createdTime|date('r') }}">{{ post.createdTime|time_format }}</time>
diff --git a/templates/manage/users/note.twig b/templates/manage/users/note.twig
index 027d30e..c039e09 100644
--- a/templates/manage/users/note.twig
+++ b/templates/manage/users/note.twig
@@ -57,7 +57,7 @@
 
             {% if not note_new and note_info.hasBody %}
                 <div class="manage__note__body markdown manage__note--viewing">
-                    {{ note_info.body|parse_text(2)|raw }}
+                    {{ note_info.body|escape|parse_text(2)|raw }}
                 </div>
             {% else %}
                 <div class="manage__note__nobody manage__note--viewing">
diff --git a/templates/manage/users/notes.twig b/templates/manage/users/notes.twig
index 110c9eb..e0aebf2 100644
--- a/templates/manage/users/notes.twig
+++ b/templates/manage/users/notes.twig
@@ -71,9 +71,9 @@
                 {% if note.info.hasBody %}
                     <div class="manage__notes__item__body markdown">
                         {% if notes_filtering %}
-                            {{ note.info.body|parse_text(2)|raw }}
+                            {{ note.info.body|escape|parse_text(2)|raw }}
                         {% else %}
-                            {{ note.info.firstParagraph|parse_text(2)|raw }}
+                            {{ note.info.firstParagraph|escape|parse_text(2)|raw }}
                         {% endif %}
                     </div>
                 {% else %}
diff --git a/templates/news/macros.twig b/templates/news/macros.twig
index f4164f4..3ad44c7 100644
--- a/templates/news/macros.twig
+++ b/templates/news/macros.twig
@@ -36,7 +36,7 @@
         </div>
         <div class="news__preview__content markdown">
             <div class="news__preview__text">
-                {{ post.post.firstParagraph|parse_text(2)|raw }}
+                {{ post.post.firstParagraph|escape|parse_text(2)|raw }}
             </div>
             <div class="news__preview__links">
                 <a href="{{ url('news-post', {'post': post.post.id}) }}" class="news__preview__link">Continue reading</a>
@@ -91,7 +91,7 @@
 
         <div class="news__post__text markdown">
             <h1>{{ post.title }}</h1>
-            {{ post.body|parse_text(2)|raw }}
+            {{ post.body|escape|parse_text(2)|raw }}
         </div>
     </div>
 {% endmacro %}
diff --git a/templates/profile/index.twig b/templates/profile/index.twig
index b57fbea..5f0df69 100644
--- a/templates/profile/index.twig
+++ b/templates/profile/index.twig
@@ -271,7 +271,7 @@
                                     </div>
                                 {% else %}
                                     <div class="profile__about__content{% if profile_is_editing %} profile__about__content--edit{% elseif profile_user.aboutParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}">
-                                        {{ profile_user.aboutContent|parse_text(profile_user.aboutParser)|raw }}
+                                        {{ profile_user.aboutContent|escape|parse_text(profile_user.aboutParser)|raw }}
                                     </div>
                                 {% endif %}
                             </div>
@@ -288,7 +288,7 @@
                                     </div>
                                 {% else %}
                                     <div class="profile__signature__content{% if profile_is_editing %} profile__signature__content--edit{% elseif profile_user.signatureParser == constant('\\Misuzu\\Parsers\\Parser::MARKDOWN') %} markdown{% endif %}">
-                                        {{ profile_user.signatureContent|parse_text(profile_user.signatureParser)|raw }}
+                                        {{ profile_user.signatureContent|escape|parse_text(profile_user.signatureParser)|raw }}
                                     </div>
                                 {% endif %}
                             </div>