# HG changeset patch
# User Andrew Shadura <andrew@shadura.me>
# Date 2015-02-11 20:38:12
# Node ID 8d76245daefa55306531822f2aa041ef1bc1095c
# Parent  2346f7b1b82a1b1ba98c9bd5635801a1f672a247

feed: urlify and escape the commit description

This prevents HTML injections and also makes URLs clickable.

diff --git a/kallithea/controllers/feed.py b/kallithea/controllers/feed.py
--- a/kallithea/controllers/feed.py
+++ b/kallithea/controllers/feed.py
@@ -107,7 +107,7 @@ class FeedController(BaseRepoController)
         desc_msg.append('changeset: <a href="%s">%s</a>' % (_url, cs.raw_id[:8]))
 
         desc_msg.append('<pre>')
-        desc_msg.append(cs.message)
+        desc_msg.append(h.urlify_text(cs.message))
         desc_msg.append('\n')
         desc_msg.extend(changes)
         if self.include_diff: