HTML Escape search queries

2020-05-29 10:41:59 +00:00 · 2020-05-29 10:41:59 +00:00 · 1ae3c33b7d
parent 051908cfb7
commit 1ae3c33b7d
3 changed files with 4 additions and 2 deletions
--- a/renderer/renderer.go
+++ b/renderer/renderer.go
@ -2,6 +2,7 @@ package renderer

 import (
 	"fmt"
+	htemplate "html/template"
 	"io"
 	"strconv"
 	"strings"
@ -145,6 +146,7 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
 		"FormatTimeRFC3339":       formatTimeRFC3339,
 		"FormatTimeRFC822":        formatTimeRFC822,
 		"WithContext":             withContext,
+		"HTMLEscape":              htemplate.HTMLEscapeString,
 	}).ParseGlob(templateGlobPattern)
 	if err != nil {
 		return
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<span class="post-form-field>
 		<label for="type"> Type </label>
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<button type="submit"> Search </button>
 </form>