From 9c3f83c54f6bd55261079eea51fa468dc4ab8627 Mon Sep 17 00:00:00 2001
From: Krzysztof Powelski <krzysztof@powelski.com>
Date: Wed, 5 Aug 2015 00:00:43 +0200
Subject: [PATCH] Escape HTML for .txt contents

---
 modules/cms/classes/Content.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/cms/classes/Content.php b/modules/cms/classes/Content.php
index 429b24d96..7a5f75983 100644
--- a/modules/cms/classes/Content.php
+++ b/modules/cms/classes/Content.php
@@ -69,10 +69,17 @@ class Content extends CmsCompoundObject
 
     protected function parseMarkup()
     {
-        $result = $this->markup;
+        $extension = strtolower(File::extension($this->fileName));
 
-        if (strtolower(File::extension($this->fileName)) == 'md') {
-            $result = Markdown::parse($this->markup);
+        switch ($extension) {
+            case 'txt':
+                $result = htmlspecialchars($this->markup);
+                break;
+            case 'md':
+                $result = Markdown::parse($this->markup);
+                break;
+            default:
+                $result = $this->markup;
         }
 
         return $result;