Title and title text are not HTML escaped

[lucaswerkmeister]

This is the beginning of the title text of the current xkcd comic, #2043:

The <x> that is held by <y> is also a <y><x>, so if you go to a food truck, the stuff you buy is truck food…

On xkcd2, it looks like this:

The that is held by is also a , so if you go to a food truck, the stuff you buy is truck food…

xkcd2 isn’t escaping the < and > characters, so the browser interprets the <x>s and <y>s like tags (for unknown elements, unclosed).

[tylerbutler]

Looks like the change in #11 was not fully correct. Shame on me for not testing better before merging! 😄 This is what it looks like:

I'm reverting #11 for now and re-opening this bug for a closer look.

[lucaswerkmeister]

Hm, could that be a Python 2 vs. 3 difference? I tested with Python 3, using this patch:

diff --cc xkcd2.py
index 182cadd,182cadd..126354d
--- a/xkcd2.py
+++ b/xkcd2.py
@@@ -3,7 -3,7 +3,7 @@@ import httplib
  import json
  import re
  from flask import Flask, render_template, redirect, url_for
--from path import path
++from path import Path
  from typogrify import filters as jinja2_filters

  try:
@@@ -72,9 -72,9 +72,9 @@@ def get_comic(comic_id=None)
      if resp['status'] in ('404', '500', '401'):
          raise InvalidComicException('Invalid comic id %s' % comic_id)

--    content = unicode(content, encoding='utf8')
++    # content = unicode(content, encoding='utf8')

--    cache_file = path(__file__).dirname() / ('_cache/%s.xkcd' % comic_id)
++    cache_file = Path(__file__).dirname() / ('_cache/%s.xkcd' % comic_id)

      if resp.fromcache and cache_file.exists():  # check if httplib2 loaded the page from its own cache
          with open(cache_file, mode='rb') as f:

I tried testing it with Python 2 now, but even after installing all the dependencies it doesn’t work:

ValueError: unsupported pickle protocol: 3