use HTML escaping in RSS template, fixes #21

This commit is contained in:
byte[] 2020-01-10 12:43:56 -05:00
parent d2ad52da93
commit 4ac63f9f4e
2 changed files with 4 additions and 2 deletions

View file

@ -6,6 +6,8 @@ defmodule PhilomenaWeb.Api.Rss.WatchedController do
def index(conn, _params) do def index(conn, _params) do
{:ok, {images, _tags}} = ImageLoader.search_string(conn, "my:watched") {:ok, {images, _tags}} = ImageLoader.search_string(conn, "my:watched")
render(conn, "index.rss", images: images) # NB: this is RSS, but using the RSS format causes Phoenix not to
# escape HTML
render(conn, "index.html", layout: false, images: images)
end end
end end

View file

@ -8,7 +8,7 @@
<%= for image <- @images do %> <%= for image <- @images do %>
<item> <item>
<title><%= "##{image.id} - #{image.tag_list_cache}" %></title> <title>#<%= image.id %> - <%= image.tag_list_cache %></title>
<description> <description>
<![CDATA[ <![CDATA[
<% mouseovertext = "Size: #{image.image_width}x#{image.image_height} | Tagged: #{image.tag_list_cache}" %> <% mouseovertext = "Size: #{image.image_width}x#{image.image_height} | Tagged: #{image.tag_list_cache}" %>