Escape HTML in output so that we don't have XSS vulnerabilities

src/models/documents.rs

@@ -25,8 +25,21 @@ impl Document {
 
         let parser = markdown::Parser::new_ext(&self.content, options);
 
+        // If we just process things as they are, we are vulnerable to XSS
+        // attacks, since users can inject any HTML they'd like. To prevent
+        // this, we convert any parsed HTML to just text. In the future, we can
+        // instead sanitize the HTML using something like
+        // [ammonia](https://crates.io/crates/ammonia) to make the HTML safer.
+        // Draws inspiration from
+        // [pulldown-cmark/pulldown-cmark#608](https://github.com/pulldown-cmark/pulldown-cmark/issues/608)
+        let escaped = parser.into_iter().map(|event| match event {
+            markdown::Event::Html(html) => markdown::Event::Text(html),
+            markdown::Event::InlineHtml(html) => markdown::Event::Text(html),
+            _ => event,
+        });
+
         let mut html_output = String::new();
-        markdown::html::push_html(&mut html_output, parser);
+        markdown::html::push_html(&mut html_output, escaped);
 
         html_output
     }