From 0fcc1bc04d8e293a1a200aba344fc103d2f14f46 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Sat, 30 Dec 2017 10:07:57 +0000
Subject: [PATCH] Escaping should work properly now.

---
 common/parser.go |  2 +-
 common/topic.go  |  5 ++++-
 mod_routes.go    | 10 ++++------
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/common/parser.go b/common/parser.go
index 75989c63..8c268291 100644
--- a/common/parser.go
+++ b/common/parser.go
@@ -165,7 +165,7 @@ func shortcodeToUnicode(msg string) string {
 	return msg
 }
 
-// TODO: Write a test for this
+// TODO: Write tests for this
 func PreparseMessage(msg string) string {
 	msg = strings.Replace(msg, "<p><br>", "\n\n", -1)
 	msg = strings.Replace(msg, "<p>", "\n\n", -1)
diff --git a/common/topic.go b/common/topic.go
index 113d9c18..6784bb75 100644
--- a/common/topic.go
+++ b/common/topic.go
@@ -8,6 +8,7 @@ package common
 
 import (
 	"database/sql"
+	"html"
 	"html/template"
 	"strconv"
 	"time"
@@ -235,8 +236,10 @@ func (topic *Topic) Delete() error {
 	return err
 }
 
+// TODO: Write tests for this
 func (topic *Topic) Update(name string, content string) error {
-	content = PreparseMessage(content)
+	name = html.EscapeString(html.UnescapeString(name))
+	content = PreparseMessage(html.UnescapeString(content))
 	parsedContent := ParseMessage(content, topic.ParentID, "forums")
 	_, err := topicStmts.edit.Exec(name, content, parsedContent, topic.ID)
 	topic.cacheRemove()
diff --git a/mod_routes.go b/mod_routes.go
index 10265c2e..2c223c59 100644
--- a/mod_routes.go
+++ b/mod_routes.go
@@ -4,6 +4,7 @@ import (
 	//"log"
 	//"fmt"
 	"encoding/json"
+	"html"
 	"log"
 	"net/http"
 	"strconv"
@@ -43,10 +44,7 @@ func routeEditTopic(w http.ResponseWriter, r *http.Request, user common.User) co
 		return common.NoPermissionsJSQ(w, r, user, isJs)
 	}
 
-	topicName := r.PostFormValue("topic_name")
-	topicContent := common.PreparseMessage(r.PostFormValue("topic_content"))
-	// TODO: Fully parse the post and store it in the parsed column
-	err = topic.Update(topicName, topicContent)
+	err = topic.Update(r.PostFormValue("topic_name"), r.PostFormValue("topic_content"))
 	if err != nil {
 		return common.InternalErrorJSQ(err, w, r, isJs)
 	}
@@ -352,7 +350,7 @@ func routeReplyEditSubmit(w http.ResponseWriter, r *http.Request, user common.Us
 		return common.NoPermissionsJSQ(w, r, user, isJs)
 	}
 
-	content := common.PreparseMessage(r.PostFormValue("edit_item"))
+	content := common.PreparseMessage(html.UnescapeString(r.PostFormValue("edit_item")))
 	_, err = stmts.editReply.Exec(content, common.ParseMessage(content, fid, "forums"), rid)
 	if err != nil {
 		return common.InternalErrorJSQ(err, w, r, isJs)
@@ -457,7 +455,7 @@ func routeProfileReplyEditSubmit(w http.ResponseWriter, r *http.Request, user co
 		return common.NoPermissionsJSQ(w, r, user, isJs)
 	}
 
-	content := common.PreparseMessage(r.PostFormValue("edit_item"))
+	content := common.PreparseMessage(html.UnescapeString(r.PostFormValue("edit_item")))
 	_, err = stmts.editProfileReply.Exec(content, common.ParseMessage(content, 0, ""), rid)
 	if err != nil {
 		return common.InternalErrorJSQ(err, w, r, isJs)