Fix xss on account settings page

2020-12-24 00:07:40 +01:00
parent 0b7515eccd
commit 96ca0ed90f
3 changed files with 6 additions and 4 deletions
--- a/webcontroller/user_settings.go
+++ b/webcontroller/user_settings.go
@@ -2,6 +2,7 @@ package webcontroller

 import (
 	"fmt"
+	"html"
 	"html/template"
 	"net/http"

@@ -211,7 +212,7 @@ func (wc *WebController) usernameForm(td *TemplateData, r *http.Request) (f Form
 			// Request was a success
 			f.SubmitSuccess = true
 			f.SubmitMessages = []template.HTML{template.HTML(
-				"Success! You are now " + f.FieldVal("new_username"),
+				"Success! You are now " + html.EscapeString(f.FieldVal("new_username")),
 			)}
 		}
 	}