html-escaping of fields that may be user-generated

author Robert Griesemer <gri@golang.org>

Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)

committer Robert Griesemer <gri@golang.org>

Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)
author Robert Griesemer <gri@golang.org>
Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)
committer Robert Griesemer <gri@golang.org>
Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)
diff --git a/lib/godoc/godoc.html b/lib/godoc/godoc.html

index df8ee882a06ec92a4e8880972140c8652e029c39..1cae952e271202d3a6a5ce23d3e16abcd0b578a0 100644 (file)
--- a/lib/godoc/godoc.html
+++ b/lib/godoc/godoc.html
@@ -4,7 +4,7 @@
  <head>
  
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
-  <title>{Title}</title>
+  <title>{Title|html}</title>
  
    <link rel="stylesheet" type="text/css" href="/doc/style.css">
    <script type="text/javascript" src="/doc/godocs.js"></script>
@@ -49,22 +49,23 @@
      <li class="blank">&nbsp;</li>
      <li class="navhead">Go code search</li>
      <form method="GET" action="/search" class="search">
-    <input name="q" value="{Query}" size="25" />
+    <input name="q" value="{Query|html}" size="25" />
      <input type="submit" value="Go" />
  
      <li class="blank">&nbsp;</li>
      <li class="navhead">Last update</li>
-       <li>{Timestamp}</li>
+       <li>{Timestamp|html}</li>
    </ul>
  </div>
  
  <div id="content">
-  <h1>{Title}</h1>
+  <h1>{Title|html}</h1>
  
    <!-- The Table of Contents is automatically inserted in this <div>.
         Do not delete this <div>. -->
    <div id="nav"></div>
  
+  <!-- Content is HTML-escaped elsewhere -->
    {Content}
  </div>
author	Robert Griesemer <gri@golang.org>
	Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)
committer	Robert Griesemer <gri@golang.org>
	Wed, 28 Oct 2009 19:52:52 +0000 (12:52 -0700)