aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorr <r@freesoftwareextremist.com>2020-05-29 10:41:59 +0000
committerr <r@freesoftwareextremist.com>2020-05-29 10:51:41 +0000
commit1ae3c33b7df83cec8afdb5f8e3cc46a0919c9ac1 (patch)
tree139d14fdf693e7e698f0986777f8721a4b5516ca
parent051908cfb7595afe1a775bf7e87d7081548884b0 (diff)
downloadbloat-1ae3c33b7df83cec8afdb5f8e3cc46a0919c9ac1.tar.gz
bloat-1ae3c33b7df83cec8afdb5f8e3cc46a0919c9ac1.zip
HTML Escape search queries
-rw-r--r--renderer/renderer.go2
-rw-r--r--templates/search.tmpl2
-rw-r--r--templates/usersearch.tmpl2
3 files changed, 4 insertions, 2 deletions
diff --git a/renderer/renderer.go b/renderer/renderer.go
index 4d35ba7..a15bebf 100644
--- a/renderer/renderer.go
+++ b/renderer/renderer.go
@@ -2,6 +2,7 @@ package renderer
import (
"fmt"
+ htemplate "html/template"
"io"
"strconv"
"strings"
@@ -145,6 +146,7 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
"FormatTimeRFC3339": formatTimeRFC3339,
"FormatTimeRFC822": formatTimeRFC822,
"WithContext": withContext,
+ "HTMLEscape": htemplate.HTMLEscapeString,
}).ParseGlob(templateGlobPattern)
if err != nil {
return
diff --git a/templates/search.tmpl b/templates/search.tmpl
index 560a2c9..11c584a 100644
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@@ -5,7 +5,7 @@
<form class="search-form" action="/search" method="GET">
<span class="post-form-field>
<label for="query"> Query </label>
- <input id="query" name="q" value="{{.Q}}">
+ <input id="query" name="q" value="{{.Q | HTMLEscape}}">
</span>
<span class="post-form-field>
<label for="type"> Type </label>
diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl
index ca99b4c..e5f2bfc 100644
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@@ -5,7 +5,7 @@
<form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
<span class="post-form-field>
<label for="query"> Query </label>
- <input id="query" name="q" value="{{.Q}}">
+ <input id="query" name="q" value="{{.Q | HTMLEscape}}">
</span>
<button type="submit"> Search </button>
</form>