HTML Escape search queries

This commit is contained in:
r 2020-05-29 10:41:59 +00:00
parent 051908cfb7
commit 1ae3c33b7d
3 changed files with 4 additions and 2 deletions

View file

@ -2,6 +2,7 @@ package renderer
import (
"fmt"
htemplate "html/template"
"io"
"strconv"
"strings"
@ -145,6 +146,7 @@ func NewRenderer(templateGlobPattern string) (r *renderer, err error) {
"FormatTimeRFC3339": formatTimeRFC3339,
"FormatTimeRFC822": formatTimeRFC822,
"WithContext": withContext,
"HTMLEscape": htemplate.HTMLEscapeString,
}).ParseGlob(templateGlobPattern)
if err != nil {
return

View file

@ -5,7 +5,7 @@
<form class="search-form" action="/search" method="GET">
<span class="post-form-field>
<label for="query"> Query </label>
<input id="query" name="q" value="{{.Q}}">
<input id="query" name="q" value="{{.Q | HTMLEscape}}">
</span>
<span class="post-form-field>
<label for="type"> Type </label>

View file

@ -5,7 +5,7 @@
<form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
<span class="post-form-field>
<label for="query"> Query </label>
<input id="query" name="q" value="{{.Q}}">
<input id="query" name="q" value="{{.Q | HTMLEscape}}">
</span>
<button type="submit"> Search </button>
</form>