From df9783e5923a4a0877908e356c05935f922ff7e3 Mon Sep 17 00:00:00 2001
From: Sean Grove <s@bushi.do>
Date: Wed, 11 Apr 2012 18:27:52 -0700
Subject: [PATCH] Escape incoming messages before any processes to avoid any
 malicious hijinks

---
 app/assets/javascripts/backbone/views/show_activity.js.coffee | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/assets/javascripts/backbone/views/show_activity.js.coffee b/app/assets/javascripts/backbone/views/show_activity.js.coffee
index 2a2b43a4..3dadc61f 100644
--- a/app/assets/javascripts/backbone/views/show_activity.js.coffee
+++ b/app/assets/javascripts/backbone/views/show_activity.js.coffee
@@ -7,6 +7,7 @@ class Kandan.Views.ShowActivity extends Backbone.View
     activity = @options.activity.toJSON()
     activity.created_at = Kandan.Helpers.Utils.time_to_string(new Date(activity.created_at))
     console.log("Rendering activity:")
+    activity.content = _.escape(activity.content)
     console.log(activity)
     if activity.action != "message"
       @compiled_template = JST['user_notification']({activity: activity})