From a3e54c91cf4c48bf4040a3d936cf8a661c02788a Mon Sep 17 00:00:00 2001
From: crapStone <crapstone01@gmail.com>
Date: Fri, 2 Dec 2022 13:42:03 +0100
Subject: [PATCH] fix xss on error page

---
 html/error.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/html/error.go b/html/error.go
index 826c42b..ac222c4 100644
--- a/html/error.go
+++ b/html/error.go
@@ -1,6 +1,7 @@
 package html
 
 import (
+	"html/template"
 	"net/http"
 	"strconv"
 	"strings"
@@ -39,7 +40,8 @@ func errorMessage(statusCode int) string {
 
 // TODO: use template engine
 func errorBody(statusCode int) string {
-	return strings.ReplaceAll(NotFoundPage,
-		"%status%",
-		strconv.Itoa(statusCode)+" "+errorMessage(statusCode))
+	return template.HTMLEscapeString(
+		strings.ReplaceAll(NotFoundPage,
+			"%status%",
+			strconv.Itoa(statusCode)+" "+errorMessage(statusCode)))
 }