From d7f1a35ba5986369514998b4b0d5547da46576ab Mon Sep 17 00:00:00 2001
From: Sven Slootweg <jamsoftgamedev@gmail.com>
Date: Sun, 27 May 2012 13:52:24 +0200
Subject: [PATCH] Escape special characters in HTML

---
 render | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/render b/render
index 8c79e5b..08801c5 100755
--- a/render
+++ b/render
@@ -22,6 +22,9 @@ parser.add_argument('-a', dest='attachment_dir', action='store', default='attach
 args = parser.parse_args()
 options = vars(args)
 
+def escape_html_chars(text):
+	return text.replace("&", "&amp;").replace('"', "&quot;").replace("<", "&lt;").replace(">", "&gt;")
+
 if os.path.isfile(options['database']) == False:
 	print "Database file not found. Use the -d switch to specify a custom database path."
 	exit(1)
@@ -41,6 +44,11 @@ except OSError:
 
 for message_id, sender, recipient, subject, timestamp, textbody, htmlbody, sha1_hash in cursor.execute("SELECT * FROM emails"):
 	
+	sender = escape_html_chars(sender)
+	recipient = escape_html_chars(recipient)
+	subject = escape_html_chars(subject)
+	message_id = escape_html_chars(message_id)
+	
 	versions = {}
 	
 	if textbody != "":