Fix XSS attack (again)

Now escaping only for slashes, since HTML is apparently case insensitive and using a script closing tag that wasn't entirely lowercase bypassed the earlier fix.
This commit is contained in:
Schrottkatze 2023-03-09 20:05:57 +01:00
parent c83a775ac2
commit 181ebb3a63

View file

@ -155,7 +155,7 @@ impl Pasta {
self.content
.replace('`', "\\`")
.replace('$', "\\$")
.replace("</script", "<\\/script")
.replace('/', "\\/")
}
}