Escape user-provided text in fast_html rendering (#888)

[vjpixel]

fast_html does not escape text or attribute values, yet every as_html() / as_html_thumbnail() output is rendered with | safe in the jinja2 templates — so a malicious title like " onerror="alert(1) or <script>...</script> would inject HTML/JS.

Wrap user-controlled strings (title, author, name, slug, username) with django.utils.html.escape() in Sound, Marker, Object, and Exhibit before passing them to fast_html. Also remove | safe from post.excerpt in post_preview.jinja2 — excerpt is a plain TextField, so default jinja autoescaping is the correct behavior. (Post.formatted_body is separately sanitized by ProseEditor, so it stays as-is.)

Closes #888

https://claude.ai/code/session_01XC1THLWgnGXGf5wgRhdyvB

---

Generated by Claude Code

[vjpixel]

Self-review

Verdict: ✅

fast_html does not escape attribute values or text content — verified directly:

>>> render(span('<script>alert(1)</script>'))
'<span><script>alert(1)</script></span>'
>>> render(img(title='<script>alert(1)</script>', src='x'))
'<img title="<script>alert(1)</script>" src="x">'

Combined with | safe on every as_html()/as_html_thumbnail() consumer in jinja2, this was a real attribute-injection / inline-script XSS waiting on someone with a malicious title.

Scope:

• Sound.as_html/as_html_thumbnail, Marker.as_html, Object.as_html, Exhibit.as_html_thumbnail — all user-controlled strings (title, name, slug, username) wrapped in escape().
• post.excerpt was rendered with | safe in post_preview.jinja2 despite being a plain TextField — | safe removed.
• post.formatted_body left alone — already sanitized by ProseEditor(sanitize=True).
• used_in_html_string() and other internal compositions left alone — no user input.

Verified: escape() produces <script>...</script> in both attribute and text positions, defusing the injection.

Unique: No duplicate PR.

---

Generated by Claude Code