diff --git a/client/js/shout.js b/client/js/shout.js index ffac4046..1b080a6e 100644 --- a/client/js/shout.js +++ b/client/js/shout.js @@ -364,9 +364,8 @@ $(function() { }); socket.on("topic", function(data) { - // .text() escapes HTML but not quotes. That only matters with text inside attributes. var topic = $("#chan-" + data.chan).find(".header .topic"); - topic.text(data.topic); + topic.html(Handlebars.helpers.parse(data.topic)); // .attr() is safe escape-wise but consider the capabilities of the attribute topic.attr("title", data.topic); });