Escape Attr values (#77)

Because this can be a place of injection if untrusted data is passed, escape all attribute values. Fixes #74.
author: Markus Wüstenberg 2021-05-18 14:21:53 +0200
committer: GitHub 2021-05-18 14:21:53 +0200
commit: 3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b (patch)
tree: 38b6bfce3f282cd2c758687aaa88fdda88a9f661 /gomponents.go
parent: ac7471aac69fcb4e9cd460dae39b0183ec3d10df (diff)
download: gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.lz
gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.zst
gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/gomponents.go b/gomponents.go
index a8b0f95..9cf4297 100644
--- a/gomponents.go
+++ b/gomponents.go
@@ -160,7 +160,7 @@ func (a *attr) Render(w io.Writer) error {
 		_, err := w.Write([]byte(" " + a.name))
 		return err
 	}
-	_, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`))
+	_, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`))
 	return err
 }
author	Markus Wüstenberg	2021-05-18 14:21:53 +0200
committer	GitHub	2021-05-18 14:21:53 +0200
commit	3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b (patch)
tree	38b6bfce3f282cd2c758687aaa88fdda88a9f661 /gomponents.go
parent	ac7471aac69fcb4e9cd460dae39b0183ec3d10df (diff)
download	gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.lz gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.zst gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.zip