escape html for text and content vars in MarkdownRenderTruncate

hpi-swt2 · Feb 7, 2017 · cee02da · cee02da
1 parent 6069193
commit cee02da
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -5,11 +5,11 @@
 # except paragraphs
 class MarkdownRenderTruncate < Redcarpet::Render::Base
   def paragraph(text)
-    text + ' '
+    CGI::escapeHTML(text) + ' '
   end
 
   def link(link, title, content)
-    content
+    CGI::escapeHTML(content)
   end
 end
 
@@ -50,7 +50,7 @@ def markdown(text, truncatable = false)
       autolink: true,
       superscript: true,
       disable_indented_code_blocks: true
-    }).render(strip_tags(text)).html_safe
+    }).render(text).html_safe
   end
 
   def dropdown_items