hacked injection. this is not a fix, it just hides problem #26

hayooFrontend/src/Hayoo/Common.hs

@@ -35,6 +35,7 @@ module Hayoo.Common
 , contextQueryName
 , ContextQuery ()
 , contextQueries
+, escapeScript
 ) where
 
 import           GHC.Generics (Generic)
@@ -54,7 +55,7 @@ import           Data.Data (Data)
 import           Data.Scientific (Scientific)
 import           Data.String (IsString, fromString)
 import           Data.String.Conversions (cs, (<>))
-import           Data.Text (Text, isInfixOf, splitOn, strip)
+import           Data.Text (Text, isInfixOf, splitOn, strip, replace)
 import           Data.Typeable (Typeable)
 --import           Data.Vector ((!))
 
@@ -121,6 +122,9 @@ getSRPackage :: SearchResult -> Text
 getSRPackage sr@NonPackageResult{} = resultPackage sr
 getSRPackage sr@PackageResult{} = resultName sr
 
+escapeScript :: (SearchResult -> Text) -> SearchResult -> Text
+escapeScript f sr = replace "<script" "&lt;script" $ replace "</script" "&lt;/script" $ f sr
+
 parsePackageResult score descr baseUri n = do
     dep <- descr .:? "dependencies" .!= []
     m  <- descr .:? "maintainer" .!= ""

hayooFrontend/src/Hayoo/Templates.hs

@@ -186,15 +186,15 @@ renderBoxedResult result@(NonPackageResult {}) = [Hamlet.hamlet|
                     #{m}
                  
         <div .description .more>
-            #{preEscapedToMarkup $ resultDescription result}
+            #{preEscapedToMarkup $ escapeScript resultDescription result}
 |]
 
 renderBoxedResult result@(PackageResult {}) = [Hamlet.hamlet|
 <div .panel .panel-default>
     ^{renderBoxedResultHeading result} 
     <div .panel-body>
         <div .description .more>
-            #{resultSynopsis result}
+            #{escapeScript resultSynopsis result}
 |]
 
 renderBoxedResults :: H.LimitedResult SearchResult -> Hamlet.HtmlUrl Routes