From 14cd6c829c8de258135e0b8b15ff6758b4c97434 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Sat, 26 Jun 2021 19:20:50 -0700
Subject: [PATCH] Escape (some) channel names in frontend

---
 src/invidious/comments.cr                                     | 4 ++--
 src/invidious/views/channel/featured_channels.ecr             | 4 ++--
 .../views/components/channels/channel-information.ecr         | 2 +-
 src/invidious/views/edit_playlist.ecr                         | 2 +-
 src/invidious/views/playlist.ecr                              | 4 ++--
 src/invidious/views/subscription_manager.ecr                  | 2 +-
 src/invidious/views/watch.ecr                                 | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/invidious/comments.cr b/src/invidious/comments.cr
index 81d6ac2b..0b4a530e 100644
--- a/src/invidious/comments.cr
+++ b/src/invidious/comments.cr
@@ -320,7 +320,7 @@ def template_youtube_comments(comments, locale, thin_mode, is_replies = false)
         <div class="pure-u-20-24 pure-u-md-22-24">
           <p>
             <b>
-              <a class="#{child["authorIsChannelOwner"] == true ? "channel-owner" : ""}" href="#{child["authorUrl"]}">#{child["author"]}</a>
+              <a class="#{child["authorIsChannelOwner"] == true ? "channel-owner" : ""}" href="#{child["authorUrl"]}">#{HTML.escape(child["author"].to_s)}</a>
             </b>
             <p style="white-space:pre-wrap">#{child["contentHtml"]}</p>
       END_HTML
@@ -458,7 +458,7 @@ def template_reddit_comments(root, locale)
         html << <<-END_HTML
         <p>
           <a href="javascript:void(0)" data-onclick="toggle_parent">[ - ]</a>
-          <b><a href="https://www.reddit.com/user/#{child.author}">#{child.author}</a></b>
+          <b><a href="https://www.reddit.com/user/#{child.author}">#{HTML.escape(child.author)}</a></b>
           #{translate(locale, "`x` points", number_with_separator(child.score))}
           <span title="#{child.created_utc.to_s(translate(locale, "%a %B %-d %T %Y UTC"))}">#{translate(locale, "`x` ago", recode_date(child.created_utc, locale))}</span>
           <a href="https://www.reddit.com#{child.permalink}" title="#{translate(locale, "permalink")}">#{translate(locale, "permalink")}</a>
diff --git a/src/invidious/views/channel/featured_channels.ecr b/src/invidious/views/channel/featured_channels.ecr
index 2829c780..c9c5ad46 100644
--- a/src/invidious/views/channel/featured_channels.ecr
+++ b/src/invidious/views/channel/featured_channels.ecr
@@ -37,7 +37,7 @@
                                         <% end %>
                                     </a>
                                     <div class="featured-channel-about">
-                                        <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p>
+                                        <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
                                         <div class="featured-channel-metadata">
                                             <p><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></p>
                                             <p><%= translate(locale, "`x` videos", number_with_separator(item.video_count)) %></p>
@@ -63,7 +63,7 @@
                                     <% end %>
                                 </a>
                                 <div class="featured-channel-about">
-                                    <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p>
+                                    <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
                                     <div class="featured-channel-metadata">
                                         <span><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></span>
                                         <span class="seperator"> | </span>
diff --git a/src/invidious/views/components/channels/channel-information.ecr b/src/invidious/views/components/channels/channel-information.ecr
index 435c27fe..88d51d00 100644
--- a/src/invidious/views/components/channels/channel-information.ecr
+++ b/src/invidious/views/components/channels/channel-information.ecr
@@ -36,7 +36,7 @@
     <div class="pure-u-2-3">
         <div class="channel-profile">
             <img src="/ggpht<%= URI.parse(channel.author_thumbnail).request_target %>">
-            <span><%= channel.author %></span>
+            <span><%= HTML.escape(channel.author) %></span>
         </div>
     </div>
     <div class="pure-u-1-3" style="text-align:right">
diff --git a/src/invidious/views/edit_playlist.ecr b/src/invidious/views/edit_playlist.ecr
index bd8d6207..446c27f1 100644
--- a/src/invidious/views/edit_playlist.ecr
+++ b/src/invidious/views/edit_playlist.ecr
@@ -8,7 +8,7 @@
         <div class="pure-u-2-3">
             <h3><input class="pure-input-1" maxlength="150" name="title" type="text" value="<%= playlist.title %>"></h3>
             <b>
-                <%= playlist.author %> |
+                <%= HTML.escape(playlist.author) %> |
                 <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
                 <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> |
                 <i class="icon <%= {"ion-md-globe", "ion-ios-unlock", "ion-ios-lock"}[playlist.privacy.value] %>"></i>
diff --git a/src/invidious/views/playlist.ecr b/src/invidious/views/playlist.ecr
index 568bc56e..78fa266c 100644
--- a/src/invidious/views/playlist.ecr
+++ b/src/invidious/views/playlist.ecr
@@ -11,7 +11,7 @@
                 <% if playlist.author == user.try &.email %>
                 <a href="/view_all_playlists"><%= playlist.author %></a> |
                 <% else %>
-                <%= playlist.author %> |
+                <%= HTML.escape(playlist.author) %> |
                 <% end %>
                 <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
                 <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> |
@@ -26,7 +26,7 @@
             </b>
         <% else %>
             <b>
-                <a href="/channel/<%= playlist.ucid %>"><%= playlist.author %></a> |
+                <a href="/channel/<%= playlist.ucid %>"><%= HTML.escape(playlist.author) %></a> |
                 <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
                 <%= translate(locale, "`x` videos", "#{playlist.views}") %> |
                 <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %>
diff --git a/src/invidious/views/subscription_manager.ecr b/src/invidious/views/subscription_manager.ecr
index 6cddcd6c..839f808a 100644
--- a/src/invidious/views/subscription_manager.ecr
+++ b/src/invidious/views/subscription_manager.ecr
@@ -31,7 +31,7 @@
         <div class="pure-g<% if channel.deleted %> deleted <% end %>">
             <div class="pure-u-2-5">
                 <h3 style="padding-left:0.5em">
-                    <a href="/channel/<%= channel.id %>"><%= channel.author %></a>
+                    <a href="/channel/<%= channel.id %>"><%= HTML.escape(channel.author) %></a>
                 </h3>
             </div>
             <div class="pure-u-2-5"></div>
diff --git a/src/invidious/views/watch.ecr b/src/invidious/views/watch.ecr
index 91e03725..1c26087e 100644
--- a/src/invidious/views/watch.ecr
+++ b/src/invidious/views/watch.ecr
@@ -227,7 +227,7 @@ we're going to need to do it here in order to allow for translations.
                     <% if !video.author_thumbnail.empty? %>
                         <img src="/ggpht<%= URI.parse(video.author_thumbnail).request_target %>">
                     <% end %>
-                    <span id="channel-name"><%= video.author %></span>
+                    <span id="channel-name"><%= HTML.escape(video.author) %></span>
                 </div>
             </a>