From ecd241e142c5662af50ad98efa54f07ac2443218 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Wed, 17 Oct 2012 18:41:59 -0400 Subject: [PATCH] gallery.py: escape XML chars (<, &, and >) in caption paragraphs. --- posts/gallery/gallery.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/posts/gallery/gallery.py b/posts/gallery/gallery.py index 806af0e..8c7da07 100755 --- a/posts/gallery/gallery.py +++ b/posts/gallery/gallery.py @@ -52,6 +52,7 @@ import os.path as _os_path import random as _random import re as _re import subprocess as _subprocess +import xml.sax.saxutils as _xml_sax_saxutils __version__ = '0.5' @@ -426,6 +427,7 @@ class CGIGalleryServer (object): else: content.append(img) if caption: + caption = _xml_sax_saxutils.escape(caption) content.append('

{}

'.format(caption)) return content -- 2.26.2