fix: HTML + mustache interpolations not escaped properly

server/libs/markdown.js

@@ -25,10 +25,10 @@ var mkdown = md({
       try {
         return '<pre class="hljs"><code>' + hljs.highlight(lang, str, true).value + '</code></pre>'
       } catch (err) {
-        return '<pre><code>' + str + '</code></pre>'
+        return '<pre><code>' + _.escape(str) + '</code></pre>'
       }
     }
-    return '<pre><code>' + str + '</code></pre>'
+    return '<pre><code>' + _.escape(str) + '</code></pre>'
   }
 })
   .use(mdEmoji)

server/locales/en/common.json

@@ -17,25 +17,26 @@
   },
   "nav": {
     "account": "Account",
-    "settings": "Settings",
-    "myprofile": "My Profile",
-    "stats": "Stats",
-    "syssettings": "System Settings",
-    "theme": "Color Theme",
-    "users": "Users",
-    "logout": "Logout",
+    "allpages": "All Pages",
     "create": "Create",
+    "discard": "Discard",
     "edit": "Edit",
     "history": "History",
-    "source": "Source",
-    "move": "Move",
-    "allpages": "All Pages",
+    "home": "Home",
     "login": "Login",
+    "logout": "Logout",
+    "move": "Move",
+    "myprofile": "My Profile",
     "normalview": "Normal View",
-    "viewlatest": "View Latest",
-    "discard": "Discard",
     "savechanges": "Save Changes",
-    "savedocument": "Save Document"
+    "savedocument": "Save Document",
+    "settings": "Settings",
+    "source": "Source",
+    "stats": "Stats",
+    "syssettings": "System Settings",
+    "theme": "Color Theme",
+    "users": "Users",
+    "viewlatest": "View Latest"
   },
   "welcome": {
     "title": "Welcome to your wiki!",
@@ -46,4 +47,4 @@
     "source": "Loading source...",
     "editor": "Loading editor..."
   }
-}
+}

server/views/pages/create.pug

@@ -16,7 +16,7 @@ block rootNavRight
 block content
   editor(inline-template, current-path=pageData.meta.path, v-cloak)
     .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown
 
   editor-video
   editor-codeblock

server/views/pages/edit.pug

@@ -16,7 +16,7 @@ block rootNavRight
 block content
   editor(inline-template, current-path=pageData.meta.path, v-cloak)
     .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown
 
   editor-video
   editor-codeblock

server/views/pages/view.pug

@@ -73,12 +73,11 @@ block content
               +tocMenu(pageData.tree)
 
         .column
-
           .hero
             h1.title#title= pageData.meta.title
             if pageData.meta.subtitle
               h2.subtitle= pageData.meta.subtitle
-          .content.mkcontent
+          .content.mkcontent(v-pre)
             != pageData.html
 
   modal-create-page(basepath=pageData.meta.path)