From 0415828e271476e201b883d5054e6ca55ed74444 Mon Sep 17 00:00:00 2001
From: ccd0 <admin@containerchan.org>
Date: Tue, 13 May 2014 14:20:19 -0700
Subject: [PATCH] Disallow custom HTML in file info format.

I doubt anyone is using it, and if someone manages to inject a
malicious script into the page, this could be used to install a
script permanently to be executed each time 4chan is visited.

I'll mention it in the changelog, and if anyone complains, I can
add it back with some security checks.
---
 src/Miscellaneous/FileInfo.coffee | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Miscellaneous/FileInfo.coffee b/src/Miscellaneous/FileInfo.coffee
index 2a8c01fcc..7bcdec103 100755
--- a/src/Miscellaneous/FileInfo.coffee
+++ b/src/Miscellaneous/FileInfo.coffee
@@ -9,11 +9,11 @@ FileInfo =
     return if !@file or @isClone
     @file.text.innerHTML = "<span class=file-info>#{FileInfo.format Conf['fileInfo'], @}</span>"
   format: (formatString, post) ->
-    formatString.replace /%([A-Za-z])/g, (s, c) ->
+    formatString.replace /%([A-Za-z])|[^%]+/g, (s, c) ->
       if c of FileInfo.formatters
         FileInfo.formatters[c].call(post)
       else
-        s
+        FileInfo.escape s
   convertUnit: (size, unit) ->
     if unit is 'B'
       return "#{size.toFixed()} Bytes"