From 574e35a720adea4132ae91ce1c70ca0c34461d6c Mon Sep 17 00:00:00 2001
From: matthewmcgarvey <matthewmcgarvey14@gmail.com>
Date: Wed, 19 Jan 2022 09:01:13 -0600
Subject: [PATCH] HTML escape user input

---
 src/invidious/routes/search.cr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious/routes/search.cr b/src/invidious/routes/search.cr
index 5f9bf5e0..19f33a40 100644
--- a/src/invidious/routes/search.cr
+++ b/src/invidious/routes/search.cr
@@ -56,7 +56,7 @@ module Invidious::Routes::Search
       begin
         search_query, count, videos, operators = process_search_query(query, page, user, region: region)
       rescue ex : ChannelSearchException
-        return error_template(404, "Unable to find channel with id of '#{ex.channel}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
+        return error_template(404, "Unable to find channel with id of '#{HTML.escape(ex.channel)}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
       rescue ex
         return error_template(500, ex)
       end