From 92df1d792a2e879b370dec2ee654420d0a564938 Mon Sep 17 00:00:00 2001
From: Yohan Boniface <yohanboniface@free.fr>
Date: Tue, 17 Dec 2024 18:49:49 +0100
Subject: [PATCH] fixup: escape Wikipedia HTML, just in case

---
 umap/static/umap/js/modules/rendering/template.js | 2 +-
 umap/static/umap/js/modules/utils.js              | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/umap/static/umap/js/modules/rendering/template.js b/umap/static/umap/js/modules/rendering/template.js
index 80f0be0b..39854c6e 100644
--- a/umap/static/umap/js/modules/rendering/template.js
+++ b/umap/static/umap/js/modules/rendering/template.js
@@ -271,7 +271,7 @@ class Wikipedia extends PopupTemplate {
       const extract = page.extract || ''
       const thumbnail = page.thumbnail?.source
       const [content, { image }] = Utils.loadTemplateWithRefs(
-        `<div><h3>${title}</h3><img data-ref="image" hidden src="" />${extract}</div>`
+        `<div><h3>${Utils.escapeHTML(title)}</h3><img data-ref="image" hidden src="" />${Utils.escapeHTML(extract)}</div>`
       )
       if (thumbnail) {
         image.src = thumbnail
diff --git a/umap/static/umap/js/modules/utils.js b/umap/static/umap/js/modules/utils.js
index 19085ec3..2f70edf4 100644
--- a/umap/static/umap/js/modules/utils.js
+++ b/umap/static/umap/js/modules/utils.js
@@ -115,6 +115,8 @@ export function escapeHTML(s) {
       'span',
       'dt',
       'dd',
+      'b',
+      'i',
     ],
     ADD_ATTR: [
       'target',