|
|
@@ -27,10 +27,23 @@ pub async fn render(db: &DbClient, user: &str) -> String {
|
|
|
notification
|
|
|
.short_description
|
|
|
.as_ref()
|
|
|
- .unwrap_or(¬ification.origin_url),
|
|
|
+ .unwrap_or(¬ification.origin_url)
|
|
|
+ .replace('&', "&")
|
|
|
+ .replace('<', "<")
|
|
|
+ .replace('>', ">")
|
|
|
+ .replace('"', """)
|
|
|
+ .replace('\'', "'"),
|
|
|
));
|
|
|
if let Some(metadata) = ¬ification.metadata {
|
|
|
- out.push_str(&format!("<ul><li>{}</li></ul>", metadata));
|
|
|
+ out.push_str(&format!(
|
|
|
+ "<ul><li>{}</li></ul>",
|
|
|
+ metadata
|
|
|
+ .replace('&', "&")
|
|
|
+ .replace('<', "<")
|
|
|
+ .replace('>', ">")
|
|
|
+ .replace('"', """)
|
|
|
+ .replace('\'', "'"),
|
|
|
+ ));
|
|
|
}
|
|
|
out.push_str("</li>");
|
|
|
}
|
Mark Rousskov