From 7bb8821b1b27e2527b8c02e6635ce9e92423f5c0 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sun, 30 Apr 2023 16:07:07 -0500
Subject: [PATCH] Escape HTML fields

---
 src/deps.ts      | 2 ++
 src/transmute.ts | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/deps.ts b/src/deps.ts
index af1965b..1366422 100644
--- a/src/deps.ts
+++ b/src/deps.ts
@@ -22,3 +22,5 @@ export {
 } from 'npm:nostr-tools@^1.10.1';
 export { findReplyTag } from 'https://gitlab.com/soapbox-pub/mostr/-/raw/c67064aee5ade5e01597c6d23e22e53c628ef0e2/src/nostr/tags.ts';
 export { parseFormData } from 'npm:formdata-helper@^0.3.0';
+// @deno-types="npm:@types/lodash@4.14.194"
+export { default as lodash } from 'https://esm.sh/lodash@4.17.21';
diff --git a/src/transmute.ts b/src/transmute.ts
index 271ed4d..36f8ff2 100644
--- a/src/transmute.ts
+++ b/src/transmute.ts
@@ -1,4 +1,4 @@
-import { findReplyTag, nip19 } from '@/deps.ts';
+import { findReplyTag, lodash, nip19 } from '@/deps.ts';
 import { type Event } from '@/event.ts';
 import { type MetaContent, parseContent } from '@/schema.ts';
 
@@ -38,7 +38,7 @@ function toAccount(event: Event<0>) {
     header: banner,
     header_static: banner,
     locked: false,
-    note: about,
+    note: lodash.escape(about),
     fqn: parsed05?.handle || npub,
     url: `${origin}/users/${pubkey}`,
     username: parsed05?.nickname || npub,
@@ -86,7 +86,7 @@ async function toStatus(event: Event<1>) {
   return {
     id: event.id,
     account,
-    content: event.content,
+    content: lodash.escape(event.content),
     created_at: new Date(event.created_at * 1000).toISOString(),
     in_reply_to_id: replyTag ? replyTag[1] : null,
     in_reply_to_account_id: null,