From a78ad8dec254f8da2ee76464c2c698bf4e77dec9 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sun, 22 May 2022 11:10:59 +0100
Subject: [PATCH] fix: Escape user defined values (regressed just now
 bc7052b7ca44aadddd8bec18c29653cd89f65fad)

---
 server/routes/index.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/routes/index.ts b/server/routes/index.ts
index 93e9fc36f..18f2bca97 100644
--- a/server/routes/index.ts
+++ b/server/routes/index.ts
@@ -5,6 +5,7 @@ import Koa, { Context, Next } from "koa";
 import Router from "koa-router";
 import send from "koa-send";
 import serve from "koa-static";
+import { escape } from "lodash";
 import isUUID from "validator/lib/isUUID";
 import { languages } from "@shared/i18n";
 import env from "@server/env";
@@ -70,8 +71,8 @@ const renderApp = async (
   ctx.body = page
     .toString()
     .replace(/\/\/inject-env\/\//g, environment)
-    .replace(/\/\/inject-title\/\//g, title)
-    .replace(/\/\/inject-description\/\//g, description)
+    .replace(/\/\/inject-title\/\//g, escape(title))
+    .replace(/\/\/inject-description\/\//g, escape(description))
     .replace(/\/\/inject-canonical\/\//g, canonical)
     .replace(/\/\/inject-prefetch\/\//g, shareId ? "" : prefetchTags)
     .replace(/\/\/inject-slack-app-id\/\//g, env.SLACK_APP_ID || "");