diff options
author | r <r@freesoftwareextremist.com> | 2021-04-23 10:19:09 +0000 |
---|---|---|
committer | r <r@freesoftwareextremist.com> | 2021-04-23 10:19:09 +0000 |
commit | 469f2d1d25f0b266abb15eab410131ebe1856aad (patch) | |
tree | 9d43be7fd30af12d186e5a54adf2ee9228f3243b | |
parent | bd74cb50e7e7be61f88687bc2d5f7ac63b45ea70 (diff) | |
download | bloat-469f2d1d25f0b266abb15eab410131ebe1856aad.tar.gz bloat-469f2d1d25f0b266abb15eab410131ebe1856aad.zip |
Fix HTML escaping
-rw-r--r-- | service/service.go | 11 | ||||
-rw-r--r-- | templates/header.tmpl | 2 | ||||
-rw-r--r-- | templates/search.tmpl | 2 | ||||
-rw-r--r-- | templates/status.tmpl | 6 | ||||
-rw-r--r-- | templates/usersearch.tmpl | 2 |
5 files changed, 10 insertions, 13 deletions
diff --git a/service/service.go b/service/service.go index 5d80c28..d548342 100644 --- a/service/service.go +++ b/service/service.go @@ -3,7 +3,6 @@ package service import ( "errors" "fmt" - "html/template" "mime/multipart" "net/url" "strings" @@ -560,16 +559,15 @@ func (s *service) UserSearchPage(c *client, url.QueryEscape(q), offset) } - qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + qq + "\"" + title += " \"" + q + "\"" } cdata := s.cdata(c, title, 0, 0, "") data := &renderer.UserSearchData{ CommonData: cdata, User: user, - Q: qq, + Q: q, Statuses: results.Statuses, NextLink: nextLink, } @@ -620,15 +618,14 @@ func (s *service) SearchPage(c *client, url.QueryEscape(q), qType, offset) } - qq := template.HTMLEscapeString(q) if len(q) > 0 { - title += " \"" + qq + "\"" + title += " \"" + q + "\"" } cdata := s.cdata(c, title, 0, 0, "") data := &renderer.SearchData{ CommonData: cdata, - Q: qq, + Q: q, Type: qType, Users: results.Accounts, Statuses: results.Statuses, diff --git a/templates/header.tmpl b/templates/header.tmpl index 1abb6dd..8eb53f6 100644 --- a/templates/header.tmpl +++ b/templates/header.tmpl @@ -17,7 +17,7 @@ {{if .RefreshInterval}} <meta http-equiv="refresh" content="{{.RefreshInterval}}"> {{end}} - <title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title}} </title> + <title> {{if gt .Count 0}}({{.Count}}){{end}} {{.Title | html}} </title> <link rel="stylesheet" href="/static/style.css"> {{if .CustomCSS}} <link rel="stylesheet" href="{{.CustomCSS}}"> diff --git a/templates/search.tmpl b/templates/search.tmpl index 0473d4a..7338cad 100644 --- a/templates/search.tmpl +++ b/templates/search.tmpl @@ -5,7 +5,7 @@ <form class="search-form" action="/search" method="GET"> <span class="post-form-field"> <label for="query"> Query </label> - <input id="query" name="q" value="{{.Q}}"> + <input id="query" name="q" value="{{.Q | html}}"> </span> <span class="post-form-field"> <label for="type"> Type </label> diff --git a/templates/status.tmpl b/templates/status.tmpl index d6bfedf..7dcc0b6 100644 --- a/templates/status.tmpl +++ b/templates/status.tmpl @@ -88,7 +88,7 @@ {{end}} </div> {{if .Content}} - <div class="status-content"> {{StatusContentFilter .SpoilerText .Content .Emojis .Mentions}} </div> + <div class="status-content"> {{StatusContentFilter (html .SpoilerText) .Content .Emojis .Mentions}} </div> {{end}} {{if .MediaAttachments}} <div class="status-media-container"> @@ -153,12 +153,12 @@ {{range $i, $o := .Poll.Options}} <div class="poll-option"> {{if (or $s.Poll.Expired $s.Poll.Voted)}} - <div> {{EmojiFilter $o.Title $s.Emojis}} - {{$o.VotesCount}} votes </div> + <div> {{EmojiFilter $o.Title $s.Emojis | html}} - {{$o.VotesCount}} votes </div> {{else}} <input type="{{if $s.Poll.Multiple}}checkbox{{else}}radio{{end}}" name="choices" id="poll-{{$s.ID}}-{{$i}}" value="{{$i}}"> <label for="poll-{{$s.ID}}-{{$i}}"> - {{EmojiFilter $o.Title $s.Emojis}} + {{EmojiFilter $o.Title $s.Emojis | html}} </label> {{end}} </div> diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl index 3f42f28..ee84143 100644 --- a/templates/usersearch.tmpl +++ b/templates/usersearch.tmpl @@ -5,7 +5,7 @@ <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET"> <span class="post-form-field> <label for="query"> Query </label> - <input id="query" name="q" value="{{.Q}}"> + <input id="query" name="q" value="{{.Q | html}}"> </span> <button type="submit"> Search </button> </form> |