HTML Escape search queries
authorr <r@freesoftwareextremist.com>
Fri, 29 May 2020 10:41:59 +0000 (10:41 +0000)
committerr <r@freesoftwareextremist.com>
Fri, 29 May 2020 10:51:41 +0000 (10:51 +0000)
renderer/renderer.go
templates/search.tmpl
templates/usersearch.tmpl

index 4d35ba7249a3fef1d223551a035e6f76261c7412..a15bebff465d7dcbed9eb6ec0f68712e89e7b4ff 100644 (file)
@@ -2,6 +2,7 @@ package renderer
 
 import (
        "fmt"
+       htemplate "html/template"
        "io"
        "strconv"
        "strings"
@@ -145,6 +146,7 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
                "FormatTimeRFC3339":       formatTimeRFC3339,
                "FormatTimeRFC822":        formatTimeRFC822,
                "WithContext":             withContext,
+               "HTMLEscape":              htemplate.HTMLEscapeString,
        }).ParseGlob(templateGlobPattern)
        if err != nil {
                return
index 560a2c970ae6da508fe53022f84c5400e8cce8e8..11c584adf2218ce07922b846d455bfdeb2886433 100644 (file)
@@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
        <span class="post-form-field>
                <label for="query"> Query </label>
-               <input id="query" name="q" value="{{.Q}}">
+               <input id="query" name="q" value="{{.Q | HTMLEscape}}">
        </span>
        <span class="post-form-field>
                <label for="type"> Type </label>
index ca99b4c11e9589e01a8c239ba6109f1a35382645..e5f2bfc6311bb613598d0f9fab18b7995fa80726 100644 (file)
@@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
        <span class="post-form-field>
                <label for="query"> Query </label>
-               <input id="query" name="q" value="{{.Q}}">
+               <input id="query" name="q" value="{{.Q | HTMLEscape}}">
        </span>
        <button type="submit"> Search </button>
 </form>