이스케이프 까먹음 보안 사고

route/view_diff.py

@@ -76,11 +76,11 @@ def view_diff(name = 'Test', num_a = 1, num_b = 1):
                             result += '</td></tr><tr><td style="width: 40px; user-select: none;">' + str(line) + '</td><td>'
 
                     if for_a[1] == 1:
-                        result += '<span style="background: #eaf2c2;">' + for_a[2] + '</span>'
+                        result += '<span style="background: #eaf2c2;">' + html.escape(for_a[2]) + '</span>'
                     elif for_a[1] == 0:
-                        result += for_a[2]
+                        result += html.escape(for_a[2])
                     else:
-                        result += '<span style="background: #fadad7;">' + for_a[2] + '</span>'
+                        result += '<span style="background: #fadad7;">' + html.escape(for_a[2]) + '</span>'
 
                 result += '</td></tr></table>'
 

version.json

@@ -1,6 +1,6 @@
 {
     "beta" : {
-        "r_ver" : "v3.4.6-RC3-dev212",
+        "r_ver" : "v3.4.6-RC3-dev213",
         "c_ver" : "3500361",
         "s_ver" : "3500111"
     }