godoc: fix escaping in templates

- HTML-escape URL paths
- URL-escape URL parameters

R=bradfitz
CC=golang-dev
https://golang.org/cl/4890041

diff --git a/lib/godoc/codewalkdir.html b/lib/godoc/codewalkdir.html
index 6fe1a0565ae76831a6f4d9e49961ef52e88f0b7a..2d81d9cc4d69def81eeb84010c4035dac373e076 100644 (file)
--- a/lib/godoc/codewalkdir.html
+++ b/lib/godoc/codewalkdir.html
@@ -7,9 +7,10 @@
 <table class="layout">
 {{range .}}
 <tr>
-    <td><a href="{{html .Name}}">{{html .Name}}</a></td>
-    <td width="25">&nbsp;</td>
-    <td>{{html .Title}}</td>
+       {{$name := html .Name}}
+       <td><a href="{{$name}}">{{$name}}</a></td>
+       <td width="25">&nbsp;</td>
+       <td>{{html .Title}}</td>
 </tr>
 {{end}}
 </table>

diff --git a/lib/godoc/dirlist.html b/lib/godoc/dirlist.html
index 422397e522d9261b5eff2ec1d211cdec9b6f7b06..841e474e210fd55e9dd1e0845c85ad4b37e8936c 100644 (file)
--- a/lib/godoc/dirlist.html
+++ b/lib/godoc/dirlist.html
@@ -18,7 +18,8 @@
 </tr>
 {{range .}}
 <tr>
-       <td align="left"><a href="{{.|fileInfoName|html}}">{{.|fileInfoName|html}}</a></td>
+       {{$name := .|fileInfoName|html}}
+       <td align="left"><a href="{{$name}}">{{$name}}</a></td>
        <td></td>
        <td align="right">{{html .Size}}</td>
        <td></td>

diff --git a/lib/godoc/search.html b/lib/godoc/search.html
index 946160cf53189b71c19993f235283ace70051eff..776becda2e1d13c8912dd97c65073844a6a7e05d 100644 (file)
--- a/lib/godoc/search.html
+++ b/lib/godoc/search.html
@@ -3,6 +3,7 @@
        Use of this source code is governed by a BSD-style
        license that can be found in the LICENSE file.
 -->
+{{$query := urlquery .Query}}
 {{with .Alert}}
        <p>
        <span class="alert" style="font-size:120%">{{html .}}</span>
@@ -20,13 +21,13 @@
        {{with .Decls}}
                <h2 id="Global">Package-level declarations</h2>
                {{range .}}
-                       {{$pkg := pkgLink .Pak.Path}}
-                       <h3 id="Global_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+                       {{$pkg := pkgLink .Pak.Path | html}}
+                       <h3 id="Global_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
                        {{range .Files}}
-                               {{$src := srcLink .File.Path}}
+                               {{$src := srcLink .File.Path | html}}
                                {{range .Groups}}
                                        {{range .Infos}}
-                                               <a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{html $src}}:{{infoLine .}}</a>
+                                               <a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{$src}}:{{infoLine .}}</a>
                                                {{infoSnippet_html .}}
                                        {{end}}
                                {{end}}
@@ -36,11 +37,11 @@
        {{with .Others}}
                <h2 id="Local">Local declarations and uses</h2>
                {{range .}}
-                       {{$pkg := pkgLink .Pak.Path}}
-                       <h3 id="Local_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+                       {{$pkg := pkgLink .Pak.Path | html}}
+                       <h3 id="Local_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
                        {{range .Files}}
-                               {{$src := srcLink .File.Path}}
-                               <a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>
+                               {{$src := srcLink .File.Path | html}}
+                               <a href="/{{$src}}?h={{$query}}">{{$src}}</a>
                                <table class="layout">
                                {{range .Groups}}
                                        <tr>
@@ -49,7 +50,7 @@
                                        <td align="left" width="4"></td>
                                        <td>
                                        {{range .Infos}}
-                                               <a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{infoLine .}}</a>
+                                               <a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{infoLine .}}</a>
                                        {{end}}
                                        </td>
                                        </tr>
@@ -71,17 +72,17 @@
        <p>
        <table class="layout">
        {{range .}}
-               {{$src := srcLink .Filename}}
+               {{$src := srcLink .Filename | html}}
                <tr>
                <td align="left" valign="top">
-               <a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>:
+               <a href="/{{$src}}?h={{$query}}">{{$src}}</a>:
                </td>
                <td align="left" width="4"></td>
                <th align="left" valign="top">{{len .Lines}}</th>
                <td align="left" width="4"></td>
                <td align="left">
                {{range .Lines}}
-                       <a href="/{{$src}}?h={{urlquery $.Query}}#L{{.}}">{{html .}}</a>
+                       <a href="/{{$src}}?h={{$query}}#L{{html .}}">{{html .}}</a>
                {{end}}
                {{if not $.Complete}}
                        ...

diff --git a/src/cmd/godoc/godoc.go b/src/cmd/godoc/godoc.go
index 98fdc19d044915968afbf2c456c1ea0c34a11779..e3f8ad8d36f94d2dd20a3fb75ffefae95ebe55a7 100644 (file)
--- a/src/cmd/godoc/godoc.go
+++ b/src/cmd/godoc/godoc.go
@@ -481,7 +481,7 @@ func posLink_urlFunc(node ast.Node, fset *token.FileSet) string {
        }
 
        var buf bytes.Buffer
-       buf.WriteString(http.URLEscape(relpath))
+       template.HTMLEscape(&buf, []byte(relpath))
        // selection ranges are of form "s=low:high"
        if low < high {
                fmt.Fprintf(&buf, "?s=%d:%d", low, high) // no need for URL escaping