From 980d067bf3b2cc22e61405c3e9619c1a49027805 Mon Sep 17 00:00:00 2001
From: Krytarik Raido <krytarik@gmail.com>
Date: Tue, 29 Jun 2021 04:56:04 +0200
Subject: [PATCH] HTML-escape logs on web page.

---
 server.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index ca41aea..7ac02af 100644
--- a/server.py
+++ b/server.py
@@ -181,7 +181,8 @@ class MyHandler(http.server.BaseHTTPRequestHandler):
 								body.append('<ul>')
 								for line in log.split('\n'):
 									if line != '':
-										body.append('<li>%s</li>' % line)
+										body.append('<li>%s</li>' % line.replace(
+											'&','&amp;').replace('<','&lt;').replace('>','&gt;').replace('"','&quot;'))
 								body.append('</ul>')
 					c.execute("""SELECT oper,at,comment FROM comments WHERE ban_id=?""",(id,))
 					r = c.fetchall()