Fix HTML escaping

5 files changed, 10 insertions, 13 deletions

diff --git a/service/service.go b/service/service.go
index 5d80c28..d548342 100644
--- a/service/service.go
+++ b/service/service.go
@@ -3,7 +3,6 @@ package service
 import (
 	"errors"
 	"fmt"
-	"html/template"
 	"mime/multipart"
 	"net/url"
 	"strings"
@@ -560,16 +559,15 @@ func (s *service) UserSearchPage(c *client,
 			url.QueryEscape(q), offset)
 	}
 
-	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + qq + "\""
+		title += " \"" + q + "\""
 	}
 
 	cdata := s.cdata(c, title, 0, 0, "")
 	data := &renderer.UserSearchData{
 		CommonData: cdata,
 		User:       user,
-		Q:          qq,
+		Q:          q,
 		Statuses:   results.Statuses,
 		NextLink:   nextLink,
 	}
@@ -620,15 +618,14 @@ func (s *service) SearchPage(c *client,
 			url.QueryEscape(q), qType, offset)
 	}
 
-	qq := template.HTMLEscapeString(q)
 	if len(q) > 0 {
-		title += " \"" + qq + "\""
+		title += " \"" + q + "\""
 	}
 
 	cdata := s.cdata(c, title, 0, 0, "")
 	data := &renderer.SearchData{
 		CommonData: cdata,
-		Q:          qq,
+		Q:          q,
 		Type:       qType,
 		Users:      results.Accounts,
 		Statuses:   results.Statuses,
diff --git a/templates/header.tmpl b/templates/header.tmpl
index 1abb6dd..8eb53f6 100644
--- a/templates/header.tmpl
+++ b/templates/header.tmpl
@@ -17,7 +17,7 @@
 	{{if .RefreshInterval}}
 	<meta http-equiv="refresh" content="{{.RefreshInterval}}">
 	{{end}}
-	<title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title}} </title>
+	<title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title | html}} </title>
 	<link rel="stylesheet" href="/static/style.css">
 	{{if .CustomCSS}}
 	<link rel="stylesheet" href="{{.CustomCSS}}">
diff --git a/templates/search.tmpl b/templates/search.tmpl
index 0473d4a..7338cad 100644
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
 	<span class="post-form-field">
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | html}}">
 	</span>
 	<span class="post-form-field">
 		<label for="type"> Type </label>
diff --git a/templates/status.tmpl b/templates/status.tmpl
index d6bfedf..7dcc0b6 100644
--- a/templates/status.tmpl
+++ b/templates/status.tmpl
@@ -88,7 +88,7 @@
 				{{end}}
 			</div>
 			{{if .Content}}
-			<div class="status-content"> {{StatusContentFilter .SpoilerText .Content .Emojis .Mentions}} </div>
+			<div class="status-content"> {{StatusContentFilter (html .SpoilerText) .Content .Emojis .Mentions}} </div>
 			{{end}}
 			{{if .MediaAttachments}}
 			<div class="status-media-container">
@@ -153,12 +153,12 @@
 				{{range $i, $o := .Poll.Options}}
 				<div class="poll-option">
 					{{if (or $s.Poll.Expired $s.Poll.Voted)}}
-					<div> {{EmojiFilter $o.Title $s.Emojis}} - {{$o.VotesCount}} votes </div>
+					<div> {{EmojiFilter $o.Title $s.Emojis | html}} - {{$o.VotesCount}} votes </div>
 					{{else}}
 					<input type="{{if $s.Poll.Multiple}}checkbox{{else}}radio{{end}}" name="choices" 
 						id="poll-{{$s.ID}}-{{$i}}" value="{{$i}}">
 					<label for="poll-{{$s.ID}}-{{$i}}"> 
-						{{EmojiFilter $o.Title $s.Emojis}} 
+						{{EmojiFilter $o.Title $s.Emojis | html}} 
 					</label>
 					{{end}}
 				</div>
diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl
index 3f42f28..ee84143 100644
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | html}}">
 	</span>
 	<button type="submit"> Search </button>
 </form>