Escapes results sent back to the browser

Author: rosenfeld

app/controllers/console_controller.rb

@@ -10,11 +10,17 @@ def run
     begin
       result_eval = eval params[:script], binding
       $stdout.rewind
-      result = %Q{<div class="stdout">#{$stdout.read}</div><div class="return">#{result_eval.inspect}</div>}
+      result = %Q{<div class="stdout">#{escape $stdout.read}</div>
+        <div class="return">#{escape result_eval.inspect}</div>}
     rescue Exception => e
       result = e.to_s
     end
     $stdout = stdout_orig
     render text: result.gsub("\n", "<br />\n")
   end
+
+private
+  def escape(content)
+    view_context.escape_once content
+  end
 end