From 497e5f0c28d575b3e92ef65b70384314a9e330da Mon Sep 17 00:00:00 2001
From: Martin Mahner <martin@mahner.org>
Date: Fri, 1 Aug 2014 20:56:58 +0000
Subject: [PATCH] Fixed XSS bug, 'code' lexer syntax were not escaped properly.

---
 dpaste/highlight.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dpaste/highlight.py b/dpaste/highlight.py
index 538cfe9..1b66a6d 100644
--- a/dpaste/highlight.py
+++ b/dpaste/highlight.py
@@ -4,6 +4,7 @@ from pygments.formatters import HtmlFormatter
 
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
+from django.template.defaultfilters import escape
 
 """
 # Get a list of all lexer, and then remove all lexer which have '-' or '+'
@@ -121,7 +122,7 @@ class NakedHtmlFormatter(HtmlFormatter):
 def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
     # Plain code is noth hihglighted
     if lexer_name == PLAIN_CODE:
-        return '\n'.join([u'<span class="nn">{}</span>'.format(l)
+        return '\n'.join([u'<span class="nn">{}</span>'.format(escape(l))
             for l in code_string.splitlines()])
 
     try: