From d772c4802fc9a8109669ae4544bf7550c8e5efad Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian@spawnhost.de>
Date: Mon, 4 Aug 2014 13:26:19 +0200
Subject: [PATCH] hacked injection. this is not a fix, it just hides problem
 #26

---
 hayooFrontend/src/Hayoo/Common.hs    | 6 +++++-
 hayooFrontend/src/Hayoo/Templates.hs | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/hayooFrontend/src/Hayoo/Common.hs b/hayooFrontend/src/Hayoo/Common.hs
index 70149e7..5fe50fa 100644
--- a/hayooFrontend/src/Hayoo/Common.hs
+++ b/hayooFrontend/src/Hayoo/Common.hs
@@ -35,6 +35,7 @@ module Hayoo.Common
 , contextQueryName
 , ContextQuery ()
 , contextQueries
+, escapeScript
 ) where
 
 import           GHC.Generics (Generic)
@@ -54,7 +55,7 @@ import           Data.Data (Data)
 import           Data.Scientific (Scientific)
 import           Data.String (IsString, fromString)
 import           Data.String.Conversions (cs, (<>))
-import           Data.Text (Text, isInfixOf, splitOn, strip)
+import           Data.Text (Text, isInfixOf, splitOn, strip, replace)
 import           Data.Typeable (Typeable)
 --import           Data.Vector ((!))
 
@@ -121,6 +122,9 @@ getSRPackage :: SearchResult -> Text
 getSRPackage sr@NonPackageResult{} = resultPackage sr
 getSRPackage sr@PackageResult{} = resultName sr
 
+escapeScript :: (SearchResult -> Text) -> SearchResult -> Text
+escapeScript f sr = replace "<script" "&lt;script" $ replace "</script" "&lt;/script" $ f sr
+
 parsePackageResult score descr baseUri n = do
     dep <- descr .:? "dependencies" .!= []
     m  <- descr .:? "maintainer" .!= ""
diff --git a/hayooFrontend/src/Hayoo/Templates.hs b/hayooFrontend/src/Hayoo/Templates.hs
index 799cc30..d2d15f9 100644
--- a/hayooFrontend/src/Hayoo/Templates.hs
+++ b/hayooFrontend/src/Hayoo/Templates.hs
@@ -186,7 +186,7 @@ renderBoxedResult result@(NonPackageResult {}) = [Hamlet.hamlet|
                     #{m}
                 &nbsp;
         <div .description .more>
-            #{preEscapedToMarkup $ resultDescription result}
+            #{preEscapedToMarkup $ escapeScript resultDescription result}
 |]
 
 renderBoxedResult result@(PackageResult {}) = [Hamlet.hamlet|
@@ -194,7 +194,7 @@ renderBoxedResult result@(PackageResult {}) = [Hamlet.hamlet|
     ^{renderBoxedResultHeading result} 
     <div .panel-body>
         <div .description .more>
-            #{resultSynopsis result}
+            #{escapeScript resultSynopsis result}
 |]
 
 renderBoxedResults :: H.LimitedResult SearchResult -> Hamlet.HtmlUrl Routes