use safe markdown for comments to prevent xss

[iankelling.org] / b.rb

diff --git a/b.rb b/b.rb
index d4e97b6dba16b1c988ed0760561022e9aad3e14a..b5e2aa91bb94782a20a18316717492f4d92cc626 100644 (file)
--- a/b.rb
+++ b/b.rb
@@ -58,7 +58,7 @@ module B # blog module
     head = <<EOF
 <link rel="canonical" href="#{DURL}/#{rel_path}">
 EOF
-    if rel_path =~ %r{^blog/.}
+    if rel_path =~ %r{^/blog/|^blog.html}
       head += <<EOF
 <link rel="alternate" type="application/atom+xml" title="#{DN}" href="#{DURL}/feed.xml">
 EOF
@@ -126,7 +126,7 @@ EOF
   end
 
   def comment_html(comment, date)
-    inner = Redcarpet::Markdown.new(Redcarpet::Render::HTML, fenced_code_blocks: true).render(<<EOF)
+    inner = Redcarpet::Markdown.new(Redcarpet::Render::Safe, fenced_code_blocks: true).render(<<EOF)
 #{comment}
 <span class="comment-date">#{Time.at(date).strftime("%b %-d '%y")}</span>
 EOF