add " and ' to list of html-escaped chars

R=rsc
http://go/go-review/1017025

diff --git a/src/pkg/template/format.go b/src/pkg/template/format.go
index bbdfcb4bb8b74659784ccbd853ccd55b2d1510f0..bcffc66ac557d0ab87cc7c4a9d03481648bbfe44 100644 (file)
--- a/src/pkg/template/format.go
+++ b/src/pkg/template/format.go
@@ -21,28 +21,37 @@ func StringFormatter(w io.Writer, value interface{}, format string) {
        fmt.Fprint(w, value);
 }
 
-
-var esc_amp = strings.Bytes("&")
-var esc_lt = strings.Bytes("<")
-var esc_gt = strings.Bytes(">")
+var (
+       esc_quot = strings.Bytes(""");  // shorter than """
+       esc_apos = strings.Bytes("'");  // shorter than "'"
+       esc_amp = strings.Bytes("&");
+       esc_lt = strings.Bytes("<");
+       esc_gt = strings.Bytes(">");
+)
 
 // HtmlEscape writes to w the properly escaped HTML equivalent
 // of the plain text data s.
 func HtmlEscape(w io.Writer, s []byte) {
+       var esc []byte;
        last := 0;
        for i, c := range s {
-               if c == '&' || c == '<' || c == '>' {
-                       w.Write(s[last:i]);
-                       switch c {
-                       case '&':
-                               w.Write(esc_amp);
-                       case '<':
-                               w.Write(esc_lt);
-                       case '>':
-                               w.Write(esc_gt);
-                       }
-                       last = i+1;
+               switch c {
+               case '"':
+                       esc = esc_quot;
+               case '\'':
+                       esc = esc_apos;
+               case '&':
+                       esc = esc_amp;
+               case '<':
+                       esc = esc_lt;
+               case '>':
+                       esc = esc_gt;
+               default:
+                       continue;
                }
+               w.Write(s[last:i]);
+               w.Write(esc);
+               last = i+1;
        }
        w.Write(s[last:len(s)]);
 }