Get rid of reflected XSSes

[domenukk]

It seems like moet routes contain reflected cross site scripting.
This is bad, especially if hosted on the same subdomain as rocketchat or others.
Also, if we can't get this right, who can?

[Trolldemorted]

If we switch to handlebars everywhere, handlebars should (?) escape arbitrary strings correctly.

However, we need to dedice on what should actually happen if a button (insert and deploy) is pressed. cc @fsck

[domenukk]

There are still xsses sprinkled about, for example here:

ENOKEY/src/main.rs

Line 212 in 1962084

return content::Html(format!("Wrong AUTHKEY: {:?}", form));

There is probably no good reason to ever reflect invalid user input.

[Trolldemorted]

Imho we should throw out all content::Htmls, and use handlebars everywhere. Thoughts?

[domenukk]

As I said there is no reason to output the user input in error messages, static strings can never go wrong.
For anything else, handlebars is the way to go 👌

[Trolldemorted]

Nevertheless content::Html is an unneccessary footgun - I'd rather throw it out completely than have xss issues coming up repeatedly.