From 98eddc78cbda00fb35134a4f5deeb6cdde420d3a Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 26 Oct 2017 17:54:55 -0400
Subject: [PATCH] escaping message text in parse.raw

---
 src/messaging.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/messaging.js b/src/messaging.js
index 9a53f327ce..932f388fe1 100644
--- a/src/messaging.js
+++ b/src/messaging.js
@@ -78,6 +78,9 @@ Messaging.parse = function (message, fromuid, uid, roomId, isNew, callback) {
 			return callback(err);
 		}
 
+		parsed = S(parsed).stripTags().decodeHTMLEntities().s;
+		parsed = validator.escape(String(parsed));
+
 		var messageData = {
 			message: message,
 			parsed: parsed,