HTML escape user input

author: matthewmcgarvey <matthewmcgarvey14@gmail.com> 2022-01-19 09:01:13 -0600
committer: matthewmcgarvey <matthewmcgarvey14@gmail.com> 2022-01-19 09:01:13 -0600
commit: 574e35a720adea4132ae91ce1c70ca0c34461d6c (patch)
tree: 11d233589c20b78fa5d2025824cd4e4d2200d241 /src
parent: 56e505164d5faa1b3db15a18e0a0359d4b66d468 (diff)
download: invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.tar.gz
invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.tar.bz2
invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/invidious/routes/search.cr b/src/invidious/routes/search.cr
index 5f9bf5e0..19f33a40 100644
--- a/src/invidious/routes/search.cr
+++ b/src/invidious/routes/search.cr
@@ -56,7 +56,7 @@ module Invidious::Routes::Search
       begin
         search_query, count, videos, operators = process_search_query(query, page, user, region: region)
       rescue ex : ChannelSearchException
-        return error_template(404, "Unable to find channel with id of '#{ex.channel}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
+        return error_template(404, "Unable to find channel with id of '#{HTML.escape(ex.channel)}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
       rescue ex
         return error_template(500, ex)
       end
author	matthewmcgarvey <matthewmcgarvey14@gmail.com>	2022-01-19 09:01:13 -0600
committer	matthewmcgarvey <matthewmcgarvey14@gmail.com>	2022-01-19 09:01:13 -0600
commit	574e35a720adea4132ae91ce1c70ca0c34461d6c (patch)
tree	11d233589c20b78fa5d2025824cd4e4d2200d241 /src
parent	56e505164d5faa1b3db15a18e0a0359d4b66d468 (diff)
download	invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.tar.gz invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.tar.bz2 invidious-574e35a720adea4132ae91ce1c70ca0c34461d6c.zip