From c5adc1e3fa2cfc39001d9213ce67e0b95a4ed382 Mon Sep 17 00:00:00 2001
From: sqozz <sqozz@geekify.de>
Date: Sat, 7 Apr 2018 02:31:03 +0200
Subject: [PATCH] Add escaping to displayed URLs

---
 schort.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/schort.py b/schort.py
index 8b942cf..5abe363 100755
--- a/schort.py
+++ b/schort.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-from flask import Flask, render_template, url_for, request, redirect, abort
+from flask import Flask, render_template, url_for, request, redirect, abort, escape
 import sqlite3, random, string, time, hashlib, base64
 from urllib.parse import urlparse
 
@@ -21,10 +21,12 @@ def short(shortLink=""):
 				parsedUrl = urlparse(url)
 				if parsedUrl.scheme == "":
 					url = "http://" + url
+
 				if "resolve" in request.args:
-					return url
+					return escape(url)
 				else:
 					if noauto:
+						url = escape(url)
 						return "<a href=" + url + ">" + url + "</a>"
 					else:
 						return redirect(url, code=301) # Redirect to long URL saved in the database