html-escaping of fields that may be user-generated

R=rsc http://go/go-review/1013019
2024-11-25 02:57:57 -07:00 · 2009-10-28 12:52:52 -07:00 · 2009-10-28 12:52:52 -07:00 · 8b2d2847a8
commit 8b2d2847a8
parent 5a02eb65ef
1 changed files with 5 additions and 4 deletions
--- a/lib/godoc/godoc.html
+++ b/lib/godoc/godoc.html
@ -4,7 +4,7 @@
 <head>

  <meta http-equiv="content-type" content="text/html; charset=utf-8">
-  <title>{Title}</title>
+  <title>{Title|html}</title>

  <link rel="stylesheet" type="text/css" href="/doc/style.css">
  <script type="text/javascript" src="/doc/godocs.js"></script>
@ -49,22 +49,23 @@
    <li class="blank">&nbsp;</li>
    <li class="navhead">Go code search</li>
    <form method="GET" action="/search" class="search">
-    <input name="q" value="{Query}" size="25" />
+    <input name="q" value="{Query|html}" size="25" />
    <input type="submit" value="Go" />

    <li class="blank">&nbsp;</li>
    <li class="navhead">Last update</li>
-	<li>{Timestamp}</li>
+	<li>{Timestamp|html}</li>
  </ul>
 </div>

 <div id="content">
-  <h1>{Title}</h1>
+  <h1>{Title|html}</h1>

  <!-- The Table of Contents is automatically inserted in this <div>.
       Do not delete this <div>. -->
  <div id="nav"></div>

+  <!-- Content is HTML-escaped elsewhere -->
  {Content}
 </div>