From 60cc0ca11ab8c1e53913dac9ee1676e32793d72f Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:53:03 +0100
Subject: [PATCH] strip html

---
 lnbits/db.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lnbits/db.py b/lnbits/db.py
index f52b03914..7d15a3042 100644
--- a/lnbits/db.py
+++ b/lnbits/db.py
@@ -1,6 +1,7 @@
 import asyncio
 import datetime
 import os
+import re
 import time
 from contextlib import asynccontextmanager
 from typing import Optional
@@ -71,6 +72,16 @@ class Connection(Compat):
         if self.type in {POSTGRES, COCKROACH}:
             query = query.replace("%", "%%")
             query = query.replace("?", "%s")
+
+            # strip html
+            CLEANR = re.compile("<.*?>|&([a-z0-9]+|#[0-9]{1,6}|#x[0-9a-f]{1,6});")
+
+            def cleanhtml(raw_html):
+                cleantext = re.sub(CLEANR, "", raw_html)
+                return cleantext
+
+            query = cleanhtml(query)
+
         return query
 
     async def fetchall(self, query: str, values: tuple = ()) -> list: