Prevent XSS

Cargo.lock

@@ -343,6 +343,7 @@ dependencies = [
  "chrono 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "diesel 1.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "dotenv 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "r2d2 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "r2d2-diesel 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "rocket 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -358,6 +359,11 @@ name = "glob"
 version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "htmlescape"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "httparse"
 version = "1.3.3"
@@ -1516,6 +1522,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum fuchsia-zircon-sys 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7"
 "checksum generic-array 0.12.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3c0f28c2f5bfb5960175af447a2da7c18900693738343dc896ffbcabd9839592"
 "checksum glob 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)" = "8be18de09a56b60ed0edf84bc9df007e30040691af7acd1c41874faac5895bfb"
+"checksum htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e9025058dae765dee5070ec375f591e2ba14638c63feff74f13805a72e523163"
 "checksum httparse 1.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e8734b0cfd3bc3e101ec59100e101c2eecd19282202e87808b3037b442777a83"
 "checksum humansize 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b6cab2627acfc432780848602f3f558f7e9dd427352224b0d9324025796d2a5e"
 "checksum humantime 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3ca7e5f2e110db35f93b837c81797f3714500b81d517bf20c431b16d3ca4f114"

Cargo.toml

@@ -8,6 +8,7 @@ edition = "2018"
 chrono = { version = "0.4.6", features = ["serde"] }
 diesel = { version = "1.0.0", features = ["postgres", "chrono"] }
 dotenv = "0.9.0"
+htmlescape = "0.3.1"
 r2d2 = "0.8.3"
 r2d2-diesel = "1.0.0"
 rocket = "0.4.0"

src/main.rs

@@ -4,6 +4,7 @@ extern crate chrono;
 #[macro_use]
 extern crate diesel;
 extern crate dotenv;
+extern crate htmlescape;
 extern crate r2d2;
 extern crate r2d2_diesel;
 #[macro_use]

src/snippet.rs

@@ -35,7 +35,12 @@ fn format_snippet(filetype: Option<String>, body: String) -> String {
             ps.find_syntax_by_extension(&filetype).map_or(
                 format!("<pre class='plaintext'>{}</pre>", body),
                 |syntax| {
-                    highlighted_html_for_string(&body, &ps, syntax, &ts.themes["Solarized (light)"])
+                    highlighted_html_for_string(
+                        &htmlescape::decode_html(&body).expect("Invalid HTML"),
+                        &ps,
+                        syntax,
+                        &ts.themes["Solarized (light)"],
+                    )
                 },
             )
         },
@@ -47,11 +52,12 @@ pub fn get(connection: &PGC, id: i32) -> QueryResult<Snippet> {
 }
 
 pub fn insert(snippet: InsertableSnippet, connection: &PGC) -> QueryResult<Snippet> {
+    let body = htmlescape::encode_minimal(&snippet.body.clone());
     let formatted_snippet = InsertableSnippet {
         filetype: snippet.filetype.clone(),
         title: snippet.title,
-        body: snippet.body.clone(),
-        formatted_body: format_snippet(snippet.filetype, snippet.body),
+        body: body.clone(),
+        formatted_body: format_snippet(snippet.filetype, body),
     };
     diesel::insert_into(snippets::table)
         .values(formatted_snippet)