Commit 91fadbca authored by Robert Griesemer's avatar Robert Griesemer

godoc: fix escaping in templates

- HTML-escape URL paths
- URL-escape URL parameters

R=bradfitz
CC=golang-dev
https://golang.org/cl/4890041
parent 9f677f91
......@@ -7,7 +7,8 @@
<table class="layout">
{{range .}}
<tr>
<td><a href="{{html .Name}}">{{html .Name}}</a></td>
{{$name := html .Name}}
<td><a href="{{$name}}">{{$name}}</a></td>
<td width="25">&nbsp;</td>
<td>{{html .Title}}</td>
</tr>
......
......@@ -18,7 +18,8 @@
</tr>
{{range .}}
<tr>
<td align="left"><a href="{{.|fileInfoName|html}}">{{.|fileInfoName|html}}</a></td>
{{$name := .|fileInfoName|html}}
<td align="left"><a href="{{$name}}">{{$name}}</a></td>
<td></td>
<td align="right">{{html .Size}}</td>
<td></td>
......
......@@ -3,6 +3,7 @@
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
-->
{{$query := urlquery .Query}}
{{with .Alert}}
<p>
<span class="alert" style="font-size:120%">{{html .}}</span>
......@@ -20,13 +21,13 @@
{{with .Decls}}
<h2 id="Global">Package-level declarations</h2>
{{range .}}
{{$pkg := pkgLink .Pak.Path}}
<h3 id="Global_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
{{$pkg := pkgLink .Pak.Path | html}}
<h3 id="Global_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
{{range .Files}}
{{$src := srcLink .File.Path}}
{{$src := srcLink .File.Path | html}}
{{range .Groups}}
{{range .Infos}}
<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{html $src}}:{{infoLine .}}</a>
<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{$src}}:{{infoLine .}}</a>
{{infoSnippet_html .}}
{{end}}
{{end}}
......@@ -36,11 +37,11 @@
{{with .Others}}
<h2 id="Local">Local declarations and uses</h2>
{{range .}}
{{$pkg := pkgLink .Pak.Path}}
<h3 id="Local_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
{{$pkg := pkgLink .Pak.Path | html}}
<h3 id="Local_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
{{range .Files}}
{{$src := srcLink .File.Path}}
<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>
{{$src := srcLink .File.Path | html}}
<a href="/{{$src}}?h={{$query}}">{{$src}}</a>
<table class="layout">
{{range .Groups}}
<tr>
......@@ -49,7 +50,7 @@
<td align="left" width="4"></td>
<td>
{{range .Infos}}
<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{infoLine .}}</a>
<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{infoLine .}}</a>
{{end}}
</td>
</tr>
......@@ -71,17 +72,17 @@
<p>
<table class="layout">
{{range .}}
{{$src := srcLink .Filename}}
{{$src := srcLink .Filename | html}}
<tr>
<td align="left" valign="top">
<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>:
<a href="/{{$src}}?h={{$query}}">{{$src}}</a>:
</td>
<td align="left" width="4"></td>
<th align="left" valign="top">{{len .Lines}}</th>
<td align="left" width="4"></td>
<td align="left">
{{range .Lines}}
<a href="/{{$src}}?h={{urlquery $.Query}}#L{{.}}">{{html .}}</a>
<a href="/{{$src}}?h={{$query}}#L{{html .}}">{{html .}}</a>
{{end}}
{{if not $.Complete}}
...
......
......@@ -481,7 +481,7 @@ func posLink_urlFunc(node ast.Node, fset *token.FileSet) string {
}
var buf bytes.Buffer
buf.WriteString(http.URLEscape(relpath))
template.HTMLEscape(&buf, []byte(relpath))
// selection ranges are of form "s=low:high"
if low < high {
fmt.Fprintf(&buf, "?s=%d:%d", low, high) // no need for URL escaping
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment