From e5063ef9284aebfb4c32b13418c43bffef3d6dd1 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Sat, 26 Jun 2021 19:20:50 -0700
Subject: [PATCH] Escape (some) channel names in frontend

---
 src/invidious/comments.cr                                     | 2 +-
 src/invidious/views/channel/featured_channels.ecr             | 4 ++--
 .../views/components/channels/channel-information.ecr         | 2 +-
 src/invidious/views/playlist.ecr                              | 4 ++--
 src/invidious/views/watch.ecr                                 | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/invidious/comments.cr b/src/invidious/comments.cr
index a5506b03..fcf6e193 100644
--- a/src/invidious/comments.cr
+++ b/src/invidious/comments.cr
@@ -472,7 +472,7 @@ def template_reddit_comments(root, locale)
         html << <<-END_HTML
         <p>
           <a href="javascript:void(0)" data-onclick="toggle_parent">[ - ]</a>
-          <b><a href="https://www.reddit.com/user/#{child.author}">#{child.author}</a></b>
+          <b><a href="https://www.reddit.com/user/#{child.author}">#{HTML.escape(child.author)}</a></b>
           #{translate(locale, "`x` points", number_with_separator(child.score))}
           <span title="#{child.created_utc.to_s(translate(locale, "%a %B %-d %T %Y UTC"))}">#{translate(locale, "`x` ago", recode_date(child.created_utc, locale))}</span>
           <a href="https://www.reddit.com#{child.permalink}" title="#{translate(locale, "permalink")}">#{translate(locale, "permalink")}</a>
diff --git a/src/invidious/views/channel/featured_channels.ecr b/src/invidious/views/channel/featured_channels.ecr
index 2829c780..c9c5ad46 100644
--- a/src/invidious/views/channel/featured_channels.ecr
+++ b/src/invidious/views/channel/featured_channels.ecr
@@ -37,7 +37,7 @@
                                         <% end %>
                                     </a>
                                     <div class="featured-channel-about">
-                                        <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p>
+                                        <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
                                         <div class="featured-channel-metadata">
                                             <p><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></p>
                                             <p><%= translate(locale, "`x` videos", number_with_separator(item.video_count)) %></p>
@@ -63,7 +63,7 @@
                                     <% end %>
                                 </a>
                                 <div class="featured-channel-about">
-                                    <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= item.author %></a></p>
+                                    <p class="featured-channel-title"><a href="/channel/<%= item.ucid %>"><%= HTML.escape(item.author) %></a></p>
                                     <div class="featured-channel-metadata">
                                         <span><%= translate(locale, "`x` subscribers", number_with_separator(item.subscriber_count)) %></span>
                                         <span class="seperator"> | </span>
diff --git a/src/invidious/views/components/channels/channel-information.ecr b/src/invidious/views/components/channels/channel-information.ecr
index 435c27fe..88d51d00 100644
--- a/src/invidious/views/components/channels/channel-information.ecr
+++ b/src/invidious/views/components/channels/channel-information.ecr
@@ -36,7 +36,7 @@
     <div class="pure-u-2-3">
         <div class="channel-profile">
             <img src="/ggpht<%= URI.parse(channel.author_thumbnail).request_target %>">
-            <span><%= channel.author %></span>
+            <span><%= HTML.escape(channel.author) %></span>
         </div>
     </div>
     <div class="pure-u-1-3" style="text-align:right">
diff --git a/src/invidious/views/playlist.ecr b/src/invidious/views/playlist.ecr
index 35b985db..fbf02a8e 100644
--- a/src/invidious/views/playlist.ecr
+++ b/src/invidious/views/playlist.ecr
@@ -14,7 +14,7 @@
                 <% if playlist.author == user.try &.email %>
                 <a href="/feed/playlists"><%= author %></a> |
                 <% else %>
-                <%= author %> |
+                <%= HTML.escape(playlist.author) %> |
                 <% end %>
                 <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
                 <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %> |
@@ -29,7 +29,7 @@
             </b>
         <% else %>
             <b>
-                <a href="/channel/<%= playlist.ucid %>"><%= author %></a> |
+                <a href="/channel/<%= playlist.ucid %>"><%= HTML.escape(playlist.author) %></a> |
                 <%= translate(locale, "`x` videos", "#{playlist.video_count}") %> |
                 <%= translate(locale, "`x` videos", "#{playlist.views}") %> |
                 <%= translate(locale, "Updated `x` ago", recode_date(playlist.updated, locale)) %>
diff --git a/src/invidious/views/watch.ecr b/src/invidious/views/watch.ecr
index 68e7eb80..97f0e6f3 100644
--- a/src/invidious/views/watch.ecr
+++ b/src/invidious/views/watch.ecr
@@ -233,7 +233,7 @@ we're going to need to do it here in order to allow for translations.
                     <% if !video.author_thumbnail.empty? %>
                         <img src="/ggpht<%= URI.parse(video.author_thumbnail).request_target %>">
                     <% end %>
-                    <span id="channel-name"><%= author %></span>
+                    <span id="channel-name"><%= HTML.escape(video.author) %></span>
                 </div>
             </a>