escape topic title and category name

10 years ago · 5f47f2226a
parent 3deb423c55
commit 5f47f2226a
1 changed files with 2 additions and 2 deletions
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@ -212,7 +212,7 @@ middleware.buildBreadcrumbs = function(req, res, next) {
 					}

 					breadcrumbs.unshift({
-						text: data.name,
+						text: validator.escape(data.name),
 						url: nconf.get('relative_path') + '/category/' + data.slug
 					});

@ -242,7 +242,7 @@ middleware.buildBreadcrumbs = function(req, res, next) {
 	if (req.params.topic_id) {
 		topics.getTopicFields(parseInt(req.params.topic_id, 10), ['cid', 'title', 'slug'], function(err, data) {
 			breadcrumbs.unshift({
-				text: data.title,
+				text: validator.escape(data.title),
 				url: nconf.get('relative_path') + '/topic/' + data.slug
 			});