From 2c3d7d6116514d983d70b720e562e58d1d99e4ba Mon Sep 17 00:00:00 2001
From: Keegan McAllister <keegan@humbughq.com>
Date: Thu, 11 Oct 2012 13:30:33 -0400
Subject: [PATCH] HTML-escape messages on output

(imported from commit f199fddf887ffbd22ebac76448accb4c48b64a24)
---
 zephyr/models.py | 1 +
 zephyr/views.py  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/zephyr/models.py b/zephyr/models.py
index 1b2df4a8b1..a8df918ebd 100644
--- a/zephyr/models.py
+++ b/zephyr/models.py
@@ -13,6 +13,7 @@ import simplejson
 import markdown
 md_engine = markdown.Markdown(
     extensions    = ['fenced_code', 'codehilite', 'nl2br'],
+    safe_mode     = 'escape',
     output_format = 'xhtml' )
 
 def get_display_recipient(recipient):
diff --git a/zephyr/views.py b/zephyr/views.py
index 37e0c24842..d62d6b42a3 100644
--- a/zephyr/views.py
+++ b/zephyr/views.py
@@ -414,7 +414,7 @@ def send_message_backend(request, user_profile, sender):
 
     message = Message()
     message.sender = UserProfile.objects.get(user=sender)
-    message.content = strip_html(request.POST['content'])
+    message.content = request.POST['content']
     message.recipient = recipient
     if message_type_name == 'stream':
         message.subject = subject_name