smcvpostcomment: remove HTML if not allowed

[git.ikiwiki.info.git] / IkiWiki / Plugin / smcvpostcomment.pm

diff --git a/IkiWiki/Plugin/smcvpostcomment.pm b/IkiWiki/Plugin/smcvpostcomment.pm
index 43b1d3e6fbe8e927ac6bb0f642af59e094bdd5cb..07f008e5e08adc0ea423cd920f074cb8cf431db7 100644 (file)
--- a/IkiWiki/Plugin/smcvpostcomment.pm
+++ b/IkiWiki/Plugin/smcvpostcomment.pm
@@ -205,6 +205,12 @@ sub sessioncgi ($$) { #{{{
                        unless $config{prefix_directives};
        }
 
                        unless $config{prefix_directives};
        }
 

+       unless ($allow_html) {
+               $body =~ s/&(\w|#)/&$1/g;
+               $body =~ s/</&lt;/g;
+               $body =~ s/>/&gt;/g;
+       }
+

        # In this template, the [[!meta]] directives should stay at the end,
        # so that they will override anything the user specifies. (For
        # instance, [[!meta author="I can fake the author"]]...)
        # In this template, the [[!meta]] directives should stay at the end,
        # so that they will override anything the user specifies. (For
        # instance, [[!meta author="I can fake the author"]]...)