From 3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b Mon Sep 17 00:00:00 2001
From: Markus Wüstenberg
Date: Tue, 18 May 2021 14:21:53 +0200
Subject: Escape Attr values (#77)

Because this can be a place of injection if untrusted data is passed, escape all attribute values.

Fixes #74.---
 gomponents.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gomponents.go')

diff --git a/gomponents.go b/gomponents.go
index a8b0f95..9cf4297 100644
--- a/gomponents.go
+++ b/gomponents.go
@@ -160,7 +160,7 @@ func (a *attr) Render(w io.Writer) error {
 		_, err := w.Write([]byte(" " + a.name))
 		return err
 	}
-	_, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`))
+	_, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`))
 	return err
 }
 
-- 
cgit 1.4.1