Switch to default-escaped in templates.

This means any variable used in a template is automatically
HTML-escaped, unless it is marked as safe either in code by
using a SafeString, or in the template with the `mark_safe`
function or the `safe` filter.

1 files changed, 4 insertions, 2 deletions

diff --git a/perllib/FixMyStreet/DB/Result/Comment.pm b/perllib/FixMyStreet/DB/Result/Comment.pm
index 1ffcc7b40..99c5b6dab 100644
--- a/perllib/FixMyStreet/DB/Result/Comment.pm
+++ b/perllib/FixMyStreet/DB/Result/Comment.pm
@@ -101,6 +101,7 @@ __PACKAGE__->load_components("+FixMyStreet::DB::RABXColumn");
 __PACKAGE__->rabx_column('extra');
 
 use Moo;
+use FixMyStreet::Template::SafeString;
 use namespace::clean -except => [ 'meta' ];
 use FixMyStreet::Template;
 
@@ -201,7 +202,7 @@ sub moderation_filter {
 =head2 meta_line
 
 Returns a string to be used on a report update, describing some of the metadata
-about an update
+about an update. Can include HTML.
 
 =cut
 
@@ -225,6 +226,7 @@ sub meta_line {
             } else {
                 $body = $self->user->body;
             }
+            $body = FixMyStreet::Template::html_filter($body);
             if ($body eq 'Bromley Council') {
                 $body = "$body <img src='/cobrands/bromley/favicon.png' alt=''>";
             } elsif ($body eq 'Royal Borough of Greenwich') {
@@ -259,7 +261,7 @@ sub meta_line {
         $meta .= ', ' . _( 'and a defect raised' );
     }
 
-    return $meta;
+    return FixMyStreet::Template::SafeString->new($meta);
 };
 
 sub problem_state_processed {