Escape Attr values (#77) Because this can be a place of injection if untrusted data is passed, escape all attribute values. Fixes #74.
1 file changed, 1 insertion(+), 1 deletion(-)
changed files
M gomponents.go → gomponents.go
@@ -160,7 +160,7 @@ if a.value == nil { _, err := w.Write([]byte(" " + a.name)) return err } - _, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`)) + _, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`)) return err }