From 1ae3c33b7df83cec8afdb5f8e3cc46a0919c9ac1 Mon Sep 17 00:00:00 2001
From: r <r@freesoftwareextremist.com>
Date: Fri, 29 May 2020 10:41:59 +0000
Subject: [PATCH] HTML Escape search queries

---
 renderer/renderer.go      | 2 ++
 templates/search.tmpl     | 2 +-
 templates/usersearch.tmpl | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/renderer/renderer.go b/renderer/renderer.go
index 4d35ba7..a15bebf 100644
--- a/renderer/renderer.go
+++ b/renderer/renderer.go
@@ -2,6 +2,7 @@ package renderer
 
 import (
 	"fmt"
+	htemplate "html/template"
 	"io"
 	"strconv"
 	"strings"
@@ -145,6 +146,7 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
 		"FormatTimeRFC3339":       formatTimeRFC3339,
 		"FormatTimeRFC822":        formatTimeRFC822,
 		"WithContext":             withContext,
+		"HTMLEscape":              htemplate.HTMLEscapeString,
 	}).ParseGlob(templateGlobPattern)
 	if err != nil {
 		return
diff --git a/templates/search.tmpl b/templates/search.tmpl
index 560a2c9..11c584a 100644
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<span class="post-form-field>
 		<label for="type"> Type </label>
diff --git a/templates/usersearch.tmpl b/templates/usersearch.tmpl
index ca99b4c..e5f2bfc 100644
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<button type="submit"> Search </button>
 </form>