From 4ac63f9f4ecada20853021b7204f4602c78d08d5 Mon Sep 17 00:00:00 2001
From: "byte[]" <byteslice@airmail.cc>
Date: Fri, 10 Jan 2020 12:43:56 -0500
Subject: [PATCH] use HTML escaping in RSS template, fixes #21

---
 lib/philomena_web/controllers/api/rss/watched_controller.ex   | 4 +++-
 .../api/rss/watched/{index.rss.eex => index.html.eex}         | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)
 rename lib/philomena_web/templates/api/rss/watched/{index.rss.eex => index.html.eex} (93%)

diff --git a/lib/philomena_web/controllers/api/rss/watched_controller.ex b/lib/philomena_web/controllers/api/rss/watched_controller.ex
index 7a9a4ae8..8677e7f6 100644
--- a/lib/philomena_web/controllers/api/rss/watched_controller.ex
+++ b/lib/philomena_web/controllers/api/rss/watched_controller.ex
@@ -6,6 +6,8 @@ defmodule PhilomenaWeb.Api.Rss.WatchedController do
   def index(conn, _params) do
     {:ok, {images, _tags}} = ImageLoader.search_string(conn, "my:watched")
 
-    render(conn, "index.rss", images: images)
+    # NB: this is RSS, but using the RSS format causes Phoenix not to
+    # escape HTML
+    render(conn, "index.html", layout: false, images: images)
   end
 end
diff --git a/lib/philomena_web/templates/api/rss/watched/index.rss.eex b/lib/philomena_web/templates/api/rss/watched/index.html.eex
similarity index 93%
rename from lib/philomena_web/templates/api/rss/watched/index.rss.eex
rename to lib/philomena_web/templates/api/rss/watched/index.html.eex
index db09534c..708cb6cc 100644
--- a/lib/philomena_web/templates/api/rss/watched/index.rss.eex
+++ b/lib/philomena_web/templates/api/rss/watched/index.html.eex
@@ -8,7 +8,7 @@
 
     <%= for image <- @images do %>
         <item>
-          <title><%= "##{image.id} - #{image.tag_list_cache}" %></title>
+          <title>#<%= image.id %> - <%= image.tag_list_cache %></title>
           <description>
             <![CDATA[
               <% mouseovertext = "Size: #{image.image_width}x#{image.image_height} | Tagged: #{image.tag_list_cache}" %>