HTML escape user input

2022-01-19 09:01:13 -06:00 · 2022-01-19 09:01:13 -06:00 · 574e35a720
--- a/src/invidious/routes/search.cr
+++ b/src/invidious/routes/search.cr
@ -56,7 +56,7 @@ module Invidious::Routes::Search
      begin
        search_query, count, videos, operators = process_search_query(query, page, user, region: region)
      rescue ex : ChannelSearchException
-        return error_template(404, "Unable to find channel with id of '#{ex.channel}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
+        return error_template(404, "Unable to find channel with id of '#{HTML.escape(ex.channel)}'. Are you sure that's an actual channel id? It will look like 'UC4QobU6STFB0P71PMvOGN5A'.")
      rescue ex
        return error_template(500, ex)
      end