From b2209363eb4c3bf2f55d8268a2a3b9570b5d8818 Mon Sep 17 00:00:00 2001
From: Ryan Fox <flewkey@2a03.party>
Date: Sun, 6 Aug 2023 00:06:10 -0700
Subject: [PATCH] Add bare minimum input sanitization

This is not secure at all, and I'm not sure where I broke Mastodon's
built-in sanitization, but whatever.
---
 src/View/Formatter.elm | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/View/Formatter.elm b/src/View/Formatter.elm
index 6176602..5d46e73 100644
--- a/src/View/Formatter.elm
+++ b/src/View/Formatter.elm
@@ -123,7 +123,14 @@ toVirtualDomEach mentions emoji node =
 -- VERY janky.
 handleEmoji : String -> List Emoji -> Html Msg
 handleEmoji s emojis =
-  span [ property "innerHTML" <| Json.Encode.string <| Regex.replace Regex.All shortcodeRegex (\{match} -> displayEmoji match emojis) <| s ] []
+  span [ property "innerHTML" <| Json.Encode.string <| Regex.replace Regex.All shortcodeRegex (\{match} -> displayEmoji match emojis) <| simpleSanitize <| s ] []
+
+
+simpleSanitize : String -> String
+simpleSanitize content =
+    content
+        |> replace "<" "&lt;"
+        |> replace ">" "&gt;"
 
 
 displayEmoji : String -> List Emoji -> String