From 738580eeeb8e6ab269cf33c077bfb89453244ad5 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Thu, 7 May 2020 17:51:21 -0400
Subject: [PATCH] annotations: escape more inputs

---
 gitsrht/annotations.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gitsrht/annotations.py b/gitsrht/annotations.py
index 0420bcf..47e11cd 100644
--- a/gitsrht/annotations.py
+++ b/gitsrht/annotations.py
@@ -239,13 +239,13 @@ class AnnotatedFormatter(_BaseFormatter):
                     target = self.link_prefix + "/" + target
                 if start <= colno < end:
                     if color is not None:
-                        return (f"<a class='annotation' title='{title}' " +
+                        return (f"<a class='annotation' title='{escape_html(title)}' " +
                             f"href='{escape_html(target)}' " +
                             f"rel='nofollow noopener' " +
                             f"style='background-color: {color}' " +
                             f">{escape_html(token)}</a>""")
                     else:
-                        return (f"<a class='annotation' title='{title}' " +
+                        return (f"<a class='annotation' title='{escape_html(title)}' " +
                             f"href='{escape_html(target)}' " +
                             f"rel='nofollow noopener' " +
                             f">{escape_html(token)}</a>""")
@@ -256,7 +256,7 @@ class AnnotatedFormatter(_BaseFormatter):
                 content = anno["content"]
                 content = markdown(content, baselevel=6,
                         link_prefix=self.link_prefix)
-                annotation = f"<details><summary>{title}</summary>{content}</details>\n"
+                annotation = f"<details><summary>{escape_html(title)}</summary>{content}</details>\n"
                 token = escape_html(token).replace("\n", annotation, 1)
                 return token
             # Other types?
-- 
2.38.4