From 5c3b86b3963ac8016a96efa30b1603c8debe3b3e Mon Sep 17 00:00:00 2001
From: Logan Hanks <logan@reddit.com>
Date: Tue, 23 Jul 2013 14:09:15 -0700
Subject: [PATCH] Fix injection vulnerability and jquery path in applying link
 flair.

---
 r2/r2/controllers/api.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index e9305fb8a..3ff234b16 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -3024,13 +3024,14 @@ class ApiController(RedditController, OAuth2ResourceController):
 
             # Push some client-side updates back to the browser.
 
-            jquery('.id-%s .entry .linkflair' % link._fullname).remove()
+            jquery('.id-%s .entry .linkflairlabel' % link._fullname).remove()
             title_path = '.id-%s .entry > .title > .title' % link._fullname
 
             # TODO: move this to a template
             if flair_template:
-                flair = '<span class="linkflair %s">%s</span>' % (
-                    ' '.join('linkflair-' + c for c in css_class.split()), text)
+                flair = '<span class="linkflairlabel %s">%s</span>' % (
+                    ' '.join('linkflair-' + c for c in css_class.split()),
+                    websafe(text))
                 if site.link_flair_position == 'left':
                     jquery(title_path).before(flair)
                 elif site.link_flair_position == 'right':