From ad2d5dd284dc733a5fbd2a9f60c30fa1b7a0da73 Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Sat, 10 Oct 2020 11:37:35 +0200
Subject: Fixed HTML injection and middlename spaces

---
 quotes/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'quotes/index.js')

diff --git a/quotes/index.js b/quotes/index.js
index 5aa0646..0e0717b 100644
--- a/quotes/index.js
+++ b/quotes/index.js
@@ -11,7 +11,7 @@ app.post("/api/add", checkUser, async (req, res) => {
         await db.query("INSERT INTO quotes (user_id, author_id, quote) VALUE (?,?,?)", [
             req.session.uid,
             parseInt(req.body.author),
-            req.body.quote,
+            req.body.quote.replace(/</g, "&lt;").replace(/>/g, "&gt;"),
         ]);
         res.redirect("/quotes");
     } catch (e) {
-- 
cgit v1.2.3