From 7cba752f8a3e3296340f733915526ffdfa66f1ef Mon Sep 17 00:00:00 2001
From: Michael Vogel <icarus@dabo.de>
Date: Sun, 16 Feb 2014 17:35:01 +0100
Subject: [PATCH] parse url: Characters like < and > has to be escaped when
 showing the parsed output.

---
 mod/parse_url.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/mod/parse_url.php b/mod/parse_url.php
index cf52011f15..66ad1e57ce 100644
--- a/mod/parse_url.php
+++ b/mod/parse_url.php
@@ -327,12 +327,14 @@ function parse_url_content(&$a) {
 
 	if($url && $title && $text) {
 
+		$title = str_replace(array("\r","\n"),array('',''),$title);
+
 		if($textmode)
 			$text = '[quote]' . trim($text) . '[/quote]' . $br;
-		else
-			$text = '<blockquote>' . trim($text) . '</blockquote><br />';
-
-		$title = str_replace(array("\r","\n"),array('',''),$title);
+		else {
+			$text = '<blockquote>' . htmlspecialchars(trim($text)) . '</blockquote><br />';
+			$title = htmlspecialchars($title);
+		}
 
 		$result = sprintf($template,$url,($title) ? $title : $url,$text) . $str_tags;
 
@@ -381,7 +383,7 @@ function parse_url_content(&$a) {
 		if($textmode)
 			$text = '[quote]'.trim($text).'[/quote]';
 		else
-			$text = '<blockquote>'.trim($text).'</blockquote>';
+			$text = '<blockquote>'.htmlspecialchars(trim($text)).'</blockquote>';
 	}
 
 	if($image) {