godoc: fix escaping in templates

- HTML-escape URL paths
- URL-escape URL parameters

R=bradfitz
CC=golang-dev
https://golang.org/cl/4890041

lib/godoc/codewalkdir.html

@@ -7,9 +7,10 @@
 <table class="layout">
 {{range .}}
 <tr>
-    <td><a href="{{html .Name}}">{{html .Name}}</a></td>
-    <td width="25">&nbsp;</td>
-    <td>{{html .Title}}</td>
+	{{$name := html .Name}}
+	<td><a href="{{$name}}">{{$name}}</a></td>
+	<td width="25">&nbsp;</td>
+	<td>{{html .Title}}</td>
 </tr>
 {{end}}
 </table>

lib/godoc/dirlist.html

@@ -18,7 +18,8 @@
 </tr>
 {{range .}}
 <tr>
-	<td align="left"><a href="{{.|fileInfoName|html}}">{{.|fileInfoName|html}}</a></td>
+	{{$name := .|fileInfoName|html}}
+	<td align="left"><a href="{{$name}}">{{$name}}</a></td>
 	<td></td>
 	<td align="right">{{html .Size}}</td>
 	<td></td>

lib/godoc/search.html

@@ -3,6 +3,7 @@
 	Use of this source code is governed by a BSD-style
 	license that can be found in the LICENSE file.
 -->
+{{$query := urlquery .Query}}
 {{with .Alert}}
 	<p>
 	<span class="alert" style="font-size:120%">{{html .}}</span>
@@ -20,13 +21,13 @@
 	{{with .Decls}}
 		<h2 id="Global">Package-level declarations</h2>
 		{{range .}}
-			{{$pkg := pkgLink .Pak.Path}}
-			<h3 id="Global_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+			{{$pkg := pkgLink .Pak.Path | html}}
+			<h3 id="Global_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
 			{{range .Files}}
-				{{$src := srcLink .File.Path}}
+				{{$src := srcLink .File.Path | html}}
 				{{range .Groups}}
 					{{range .Infos}}
-						<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{html $src}}:{{infoLine .}}</a>
+						<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{$src}}:{{infoLine .}}</a>
 						{{infoSnippet_html .}}
 					{{end}}
 				{{end}}
@@ -36,11 +37,11 @@
 	{{with .Others}}
 		<h2 id="Local">Local declarations and uses</h2>
 		{{range .}}
-			{{$pkg := pkgLink .Pak.Path}}
-			<h3 id="Local_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+			{{$pkg := pkgLink .Pak.Path | html}}
+			<h3 id="Local_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
 			{{range .Files}}
-				{{$src := srcLink .File.Path}}
-				<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>
+				{{$src := srcLink .File.Path | html}}
+				<a href="/{{$src}}?h={{$query}}">{{$src}}</a>
 				<table class="layout">
 				{{range .Groups}}
 					<tr>
@@ -49,7 +50,7 @@
 					<td align="left" width="4"></td>
 					<td>
 					{{range .Infos}}
-						<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{infoLine .}}</a>
+						<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{infoLine .}}</a>
 					{{end}}
 					</td>
 					</tr>
@@ -71,17 +72,17 @@
 	<p>
 	<table class="layout">
 	{{range .}}
-		{{$src := srcLink .Filename}}
+		{{$src := srcLink .Filename | html}}
 		<tr>
 		<td align="left" valign="top">
-		<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>:
+		<a href="/{{$src}}?h={{$query}}">{{$src}}</a>:
 		</td>
 		<td align="left" width="4"></td>
 		<th align="left" valign="top">{{len .Lines}}</th>
 		<td align="left" width="4"></td>
 		<td align="left">
 		{{range .Lines}}
-			<a href="/{{$src}}?h={{urlquery $.Query}}#L{{.}}">{{html .}}</a>
+			<a href="/{{$src}}?h={{$query}}#L{{html .}}">{{html .}}</a>
 		{{end}}
 		{{if not $.Complete}}
 			...

src/cmd/godoc/godoc.go

@@ -481,7 +481,7 @@ func posLink_urlFunc(node ast.Node, fset *token.FileSet) string {
 	}
 
 	var buf bytes.Buffer
-	buf.WriteString(http.URLEscape(relpath))
+	template.HTMLEscape(&buf, []byte(relpath))
 	// selection ranges are of form "s=low:high"
 	if low < high {
 		fmt.Fprintf(&buf, "?s=%d:%d", low, high) // no need for URL escaping