From 083d17e07787179fe06b91dfbbcafc124dc55a92 Mon Sep 17 00:00:00 2001
From: Barry O'Donovan <barry@opensolutions.ie>
Date: Fri, 21 Oct 2022 15:23:45 +0100
Subject: [PATCH] [IM] Prevent XSS / JS interpretation in preview boxes [ref:
 555-9-9]

---
 app/Http/Controllers/Api/V4/UtilsController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Api/V4/UtilsController.php b/app/Http/Controllers/Api/V4/UtilsController.php
index fcf7fef6e..4af5d4a94 100644
--- a/app/Http/Controllers/Api/V4/UtilsController.php
+++ b/app/Http/Controllers/Api/V4/UtilsController.php
@@ -54,7 +54,7 @@ public function markdown( Request $r ): JsonResponse
     {
         $pd = new Parsedown();
         return response()->json([
-            'html' => $pd->text( $r->text )
+            'html' => htmlspecialchars( $pd->text( $r->text ) )
         ]);
     }
 }
\ No newline at end of file