From 4f9717fb08cc0dd3d49e6a89e5ed16ebe4a6f2b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 7 Oct 2021 15:20:41 -0400
Subject: [PATCH] fix: escape thumbs, allow robots meta tag

---
 public/src/ajaxify.js | 2 +-
 src/topics/thumbs.js  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/src/ajaxify.js b/public/src/ajaxify.js
index 26576dabbd..2ee4836fb6 100644
--- a/public/src/ajaxify.js
+++ b/public/src/ajaxify.js
@@ -223,7 +223,7 @@ ajaxify = window.ajaxify || {};
 	}
 
 	function updateTags() {
-		var metaWhitelist = ['title', 'description', /og:.+/, /article:.+/].map(function (val) {
+		var metaWhitelist = ['title', 'description', /og:.+/, /article:.+/, 'robots'].map(function (val) {
 			return new RegExp(val);
 		});
 		var linkWhitelist = ['canonical', 'alternate', 'up'];
diff --git a/src/topics/thumbs.js b/src/topics/thumbs.js
index 48520d4f81..cd0a93f3cd 100644
--- a/src/topics/thumbs.js
+++ b/src/topics/thumbs.js
@@ -64,7 +64,8 @@ async function getThumbs(set) {
 	if (cached !== undefined) {
 		return cached.slice();
 	}
-	const thumbs = await db.getSortedSetRange(set, 0, -1);
+	let thumbs = await db.getSortedSetRange(set, 0, -1);
+	thumbs = thumbs.map(t => validator.escape(String(t)));
 	cache.set(set, thumbs);
 	return thumbs.slice();
 }