Escape a potential HTML injection in highlighting if mwparser fails.

toolserver/copyvios/highlighter.py

@@ -2,7 +2,7 @@
 
 from re import sub, UNICODE
 
-# TODO: escape if input contains pseudo-HTML
+from markupsafe import escape
 
 def highlight_delta(context, chain, delta):
     processed = []
@@ -34,6 +34,7 @@ def highlight_delta(context, chain, delta):
     return u"<br /><br />".join(processed)
 
 def _highlight_word(word, before, after, is_first, is_last):
+    word = escape(word)
     if before and after:
         # Word is in the middle of a highlighted block, so don't change
         # anything unless this is the first word (force block to start) or

toolserver/settings.py

@@ -8,7 +8,6 @@ from .sites import get_sites
 
 def main(context, environ, headers, cookies):
     query = Query(environ, method="POST")
-
     if query.action == "set":
         status = _do_set(query, headers, cookies)
     elif query.action == "delete":
@@ -46,7 +45,7 @@ def _do_set(query, headers, cookies):
 def _do_delete(query, headers, cookies):
     if query.cookie in cookies:
         delete_cookie(headers, cookies, query.cookie.encode("utf8"))
-        template = "Deleted cookie <b><tt>{0}</tt></b>."
+        template = u"Deleted cookie <b><tt>{0}</tt></b>."
         return template.format(escape(query.cookie))
     elif query.all:
         number = len(cookies)