escape script tag

embed/js/crapcha.js

@@ -106,6 +106,7 @@ var crapcha = {
             captcha: $captcha.html(),
             attempt: crapcha.attempt,
             timestamp: firebase.database.ServerValue.TIMESTAMP
+          }, function(error) {
           });
         }
 

index.html

@@ -68,8 +68,9 @@ <h2>Recent CRAPCHAs</h2>
 
           for (var i in snapshot.val()) {
             var time = new Date(data[i].timestamp);
+            var captcha = data[i].captcha.replace(/<script ?/g, '&lt;script');
 
-            html = '<div class="crapcha"><div class="code">' + data[i].captcha + '</div><div class="recent">' + escapeHTML(data[i].attempt) + '</div><a href="./show/#' + i + '" class="time">' + time + '</a></div>' + html;
+            html = '<div class="crapcha"><div class="code">' + captcha + '</div><div class="recent">' + escapeHTML(data[i].attempt) + '</div><a href="./show/#' + i + '" class="time">' + time + '</a></div>' + html;
           }
 
           $('#recent').html(html);

show/index.html

@@ -65,8 +65,9 @@ <h2 style="margin: 4px 0;">Completely Ridiculous And Phony Captcha that Hassles
           var data = snapshot.val();
 
           var time = new Date(data.timestamp);
+          var captcha = data.captcha.replace(/<script ?/g, '&lt;script');
 
-          html = '<div class="crapcha"><div class="code">' + data.captcha + '</div><div class="recent">' + escapeHTML(data.attempt) + '</div><a href="./#' + id + '" class="time">' + time + '</a></div>';
+          html = '<div class="crapcha"><div class="code">' + captcha + '</div><div class="recent">' + escapeHTML(data.attempt) + '</div><a href="./#' + id + '" class="time">' + time + '</a></div>';
 
           $('#recent').html(html);
         });