HTML Escape search queries

2025-05-04 19:08:45 +00:00 · 2020-05-29 10:41:59 +00:00 · 2020-05-29 10:41:59 +00:00 · 1ae3c33b7d
commit 1ae3c33b7d
parent 051908cfb7
3 changed files with 4 additions and 2 deletions
--- a/templates/search.tmpl
+++ b/templates/search.tmpl
@ -5,7 +5,7 @@
 <form class="search-form" action="/search" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<span class="post-form-field>
 		<label for="type"> Type </label>
--- a/templates/usersearch.tmpl
+++ b/templates/usersearch.tmpl
@ -5,7 +5,7 @@
 <form class="search-form" action="/usersearch/{{.User.ID}}" method="GET">
 	<span class="post-form-field>
 		<label for="query"> Query </label>
-		<input id="query" name="q" value="{{.Q}}">
+		<input id="query" name="q" value="{{.Q | HTMLEscape}}">
 	</span>
 	<button type="submit"> Search </button>
 </form>