fix(ticket): escape HTML in user-provided trac content

Author: timmywil

eleventy.config.js

@@ -124,12 +124,14 @@ module.exports = function (eleventyConfig) {
     const codes = []
     const pres = []
     return (
-      // TODO: sanitize HTML content
       text
         // Newlines have extra escapes in the strings
         .replace(/\\\n/g, '\n')
+        // Escape HTML
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
         // Replace `` with <code> tags
-        .replace(/`([^`]+?)`/g, (_match, code) => {
+        .replace(/`([^\r\n`]+?)`/g, (_match, code) => {
           codes.push(code) // Save the code for later
           return `<code></code>`
         })

public/css/index.css

@@ -76,6 +76,9 @@ body {
   background-repeat: repeat-x;
   background-position: 50% 0;
 }
+th, tr {
+  font-family: var(--font-family-alternate);
+}
 .container {
   width: 100%;
   max-width: 910px;