From 155d905898dc4281915c3f0796db418c8e33666f Mon Sep 17 00:00:00 2001
From: Morten Delenk <mtg.morten@googlemail.com>
Date: Sun, 12 Jun 2016 18:53:03 +0200
Subject: [PATCH] HTML INJECTIONS!!

---
 comments.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/comments.py b/comments.py
index d25728c..755d71b 100755
--- a/comments.py
+++ b/comments.py
@@ -21,7 +21,7 @@ try:
     username=form["username"].value
     message=form["message"].value
     timestamp=int(time.time())
-    data={"name":form["title"],"markdown":message,"author":username,"date":timestamp}
+    data={"name":cgi.escape(form["title"]),"markdown":cgi.escape(message),"author":cgi.escape(username),"date":timestamp}
     storage.append("comments-%i"%aid,data)
 except KeyError:
     pass