http: fix text displayed in Redirect

In the case where r.Method == "POST", was
calling Printf with an argument but "" format string,
causing a spurious %!EXTRA(...) message.

Also escape string properly in HTML generation.

R=r
CC=golang-dev
https://golang.org/cl/3923043

src/pkg/http/server.go

@@ -452,18 +452,7 @@ func NotFoundHandler() Handler { return HandlerFunc(NotFound) }
 // Redirect replies to the request with a redirect to url,
 // which may be a path relative to the request path.
 func Redirect(w ResponseWriter, r *Request, url string, code int) {
-	// RFC2616 recommends that a short note "SHOULD" be included in the
+	if u, err := ParseURL(url); err == nil {
-	// response because older user agents may not understand 301/307.
-	note := "<a href=\"%v\">" + statusText[code] + "</a>.\n"
-	if r.Method == "POST" {
-		note = ""
-	}
-
-	u, err := ParseURL(url)
-	if err != nil {
-		goto finish
-	}
-
 		// If url was relative, make absolute by
 		// combining with request path.
 		// The browser would probably do this for us,
@@ -499,11 +488,27 @@ func Redirect(w ResponseWriter, r *Request, url string, code int) {
 				url += "/"
 			}
 		}
+	}
 
-finish:
 	w.SetHeader("Location", url)
 	w.WriteHeader(code)
-	fmt.Fprintf(w, note, url)
+
+	// RFC2616 recommends that a short note "SHOULD" be included in the
+	// response because older user agents may not understand 301/307.
+	note := "<a href=\"" + htmlEscape(url) + "\">" + statusText[code] + "</a>.\n"
+	if r.Method == "POST" {
+		note = ""
+	}
+	fmt.Fprintln(w, note)
+}
+
+func htmlEscape(s string) string {
+	s = strings.Replace(s, "&", "&amp;", -1)
+	s = strings.Replace(s, "<", "&lt;", -1)
+	s = strings.Replace(s, ">", "&gt;", -1)
+	s = strings.Replace(s, "\"", "&quot;", -1)
+	s = strings.Replace(s, "'", "&apos;", -1)
+	return s
 }
 
 // Redirect to a fixed URL