Escape Attr values (#77)

Because this can be a place of injection if untrusted data is passed, escape all attribute values. Fixes #74.
2021-05-18 14:21:53 +02:00 · 2021-05-18 14:21:53 +02:00 · 3e9e00ca0d
commit 3e9e00ca0d
parent ac7471aac6
2 changed files with 15 additions and 1 deletions
--- a/gomponents.go
+++ b/gomponents.go
@ -160,7 +160,7 @@ func (a *attr) Render(w io.Writer) error {
 		_, err := w.Write([]byte(" " + a.name))
 		return err
 	}
-	_, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`))
+	_, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`))
 	return err
 }

--- a/gomponents_test.go
+++ b/gomponents_test.go
@ -54,6 +54,11 @@ func TestAttr(t *testing.T) {
 			t.FailNow()
 		}
 	})
+
+	t.Run("escapes attribute values", func(t *testing.T) {
+		a := g.Attr(`id`, `hat"><script`)
+		assert.Equal(t, ` id="hat&#34;&gt;&lt;script"`, a)
+	})
 }

 func BenchmarkAttr(b *testing.B) {
@ -132,6 +137,15 @@ func TestEl(t *testing.T) {
 	})
 }

+func BenchmarkEl(b *testing.B) {
+	b.Run("normal elements", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			e := g.El("div")
+			_ = e.Render(&strings.Builder{})
+		}
+	})
+}
+
 type erroringWriter struct{}

 func (w *erroringWriter) Write(p []byte) (n int, err error) {