From bad01d40a2c9354573bfe1c4b9d33a05ffbe9b0f Mon Sep 17 00:00:00 2001
From: Florian Orben <florian.orben@gmail.com>
Date: Wed, 28 Oct 2015 19:36:34 +0100
Subject: escape user input

---
 web/react/utils/markdown.jsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/react/utils/markdown.jsx b/web/react/utils/markdown.jsx
index b5d239eb5..84690150a 100644
--- a/web/react/utils/markdown.jsx
+++ b/web/react/utils/markdown.jsx
@@ -108,13 +108,13 @@ class MattermostMarkdownRenderer extends marked.Renderer {
     code(code, language) {
         if (!language || highlightJs.listLanguages().indexOf(language) < 0) {
             let parsed = super.code(code, language);
-            return '<code class="hljs">' + $(parsed).text() + '</code>';
+            return '<div class="post-body--code"><code class="hljs">' + TextFormatting.sanitizeHtml($(parsed).text()) + '</code></div>';
         }
 
         let parsed = highlightJs.highlight(language, code);
         return '<div class="post-body--code">' +
             '<span class="post-body--code__language">' + HighlightedLanguages[language] + '</span>' +
-            '<code style="white-space: pre;" class="hljs">' + parsed.value + '</code>' +
+            '<code class="hljs">' + parsed.value + '</code>' +
             '</div>';
     }
 
-- 
cgit v1.2.3-1-g7c22