From c09fb17375c4c47b49524c688288af1fe20e730a Mon Sep 17 00:00:00 2001
From: Zack Scholl <zack.scholl@gmail.com>
Date: Mon, 26 Jul 2021 08:19:57 -0700
Subject: [PATCH] sanitize url

---
 rwtxt.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rwtxt.go b/rwtxt.go
index 2918d51..4b63bbf 100644
--- a/rwtxt.go
+++ b/rwtxt.go
@@ -11,12 +11,15 @@ import (
 	"time"
 
 	"github.com/gorilla/websocket"
+	"github.com/microcosm-cc/bluemonday"
 	"github.com/schollz/documentsimilarity"
 	log "github.com/schollz/logger"
 	"github.com/schollz/rwtxt/pkg/db"
 	"github.com/schollz/rwtxt/pkg/utils"
 )
 
+var pbclean = bluemonday.UGCPolicy()
+
 const DefaultBind = ":8152"
 
 type RWTxt struct {
@@ -216,7 +219,7 @@ Disallow: /`))
 		return rwt.handleStatic(w, r)
 	}
 
-	fields := strings.Split(r.URL.Path, "/")
+	fields := strings.Split(pbclean.Sanitize(r.URL.Path), "/")
 
 	tr := NewTemplateRender(rwt)
 	tr.Domain = "public"