From 1659176c0d49c51cb2e20e2a4c1e823ffb2c6446 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sat, 21 Sep 2019 01:38:17 +0200
Subject: [PATCH] escape html before parsing commonmark

---
 src/Utils.cpp | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/Utils.cpp b/src/Utils.cpp
index 5c664b7c..8c02b1c2 100644
--- a/src/Utils.cpp
+++ b/src/Utils.cpp
@@ -324,10 +324,25 @@ utils::linkifyMessage(const QString &body)
         return doc;
 }
 
+QByteArray escapeRawHtml(const QByteArray &data) {
+      QByteArray buffer;
+      const size_t length = data.size();
+      buffer.reserve(length);
+      for(size_t pos = 0; pos != length; ++pos) {
+            switch(data.at(pos)) {
+                  case '&':  buffer.append("&amp;");      break;
+                  case '<':  buffer.append("&lt;");       break;
+                  case '>':  buffer.append("&gt;");       break;
+                  default:   buffer.append(data.at(pos)); break;
+            }
+      }
+     return buffer;
+}
+
 QString
 utils::markdownToHtml(const QString &text)
 {
-        const auto str = text.toUtf8();
+        const auto str = escapeRawHtml(text.toUtf8());
         const char *tmp_buf =
           cmark_markdown_to_html(str.constData(), str.size(), CMARK_OPT_DEFAULT);