3 files changed, 6 insertions, 9 deletions

diff --git a/public/js/lib/views/room/chat.js b/public/js/lib/views/room/chat.js
index 222522f..0932e47 100644
--- a/public/js/lib/views/room/chat.js
+++ b/public/js/lib/views/room/chat.js
@@ -24,8 +24,8 @@ var ChatView = View.extend({
     this.seen[key] = true
     
     var $el = $( this.template )
-    $el.find(".nick").html(msg.nick)
-    $el.find(".msg").html(msg.msg)
+    $el.find(".nick").html(sanitize(msg.nick))
+    $el.find(".msg").html(sanitizeHTML(msg.msg))
     this.$messages.append($el)
     if (! this.scrolled) {
       this.scrollToBottom()
@@ -34,7 +34,6 @@ var ChatView = View.extend({
   
   send: function(e){
     e && e.preventDefault()
-    console.log("hi")
     var val = this.$msg.sanitize()
     this.$msg.focus()
     if (! val) return
diff --git a/public/js/lib/views/room/room.js b/public/js/lib/views/room/room.js
index 3b3b253..13f08ce 100644
--- a/public/js/lib/views/room/room.js
+++ b/public/js/lib/views/room/room.js
@@ -1,5 +1,3 @@
-var chat
-
 var RoomView = View.extend({
 
   events: {
@@ -11,20 +9,19 @@ var RoomView = View.extend({
 
     var base = this
     this.name = name
-    chat = this.chatView = new ChatView (socket)
+    this.chatView = new ChatView (socket)
     this.userlist = new UserlistView (socket)
-
     
     app.socket.emit("join", { nick: user.username })
     
     app.socket.on("welcome", function(room){
-      room.messages.forEach(chat.add)
+      room.messages.forEach(base.chat.add)
       base.userlist.users = room.users
       base.userlist.update()
     })
     
     app.socket.on("message", function(msg){
-      chat.add(msg)
+      base.chat.add(msg)
     })
 
   }
diff --git a/public/js/vendor/util.js b/public/js/vendor/util.js
index 73a25ad..3637f49 100644
--- a/public/js/vendor/util.js
+++ b/public/js/vendor/util.js
@@ -14,6 +14,7 @@ function trim (s){ return s.replace(/^\s+/,"").replace(/\s+$/,"") }
 function sanitize (s){ return (s || "").replace(new RegExp("[<>&]", 'g'), "") }
 function sanitizeName (s){ return (s || "").replace(new RegExp("[^-_a-zA-Z0-9]", 'g'), "") }
 function stripHTML (s){ return (s || "").replace(/<[^>]+>/g, "") }
+function sanitizeHTML (s){ return (s || "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;") }
 function capitalize (s){ return s.split(" ").map(capitalizeWord).join(" ") }
 function capitalizeWord (s){ return s.charAt(0).toUpperCase() + s.slice(1) }
 function slugify (s){ return (s || "").toLowerCase().replace(/\s/g,"-").replace(/[^-_a-zA-Z0-9]/g, '-').replace(/-+/g,"-") }