web: use html/template

so output is safe against code injection
2024-11-22 07:30:25 +00:00 · 2019-10-09 11:48:54 +02:00 · 2019-10-09 11:48:54 +02:00 · 4f36c1de06
commit 4f36c1de06
parent 5ffa34dacb
3 changed files with 3 additions and 3 deletions
--- a/httpd/internal_test.go
+++ b/httpd/internal_test.go
@ -3,10 +3,10 @@ package httpd
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"text/template"

 	"github.com/drakkan/sftpgo/dataprovider"
 	"github.com/go-chi/chi"
--- a/httpd/web.go
+++ b/httpd/web.go
@ -2,11 +2,11 @@ package httpd

 import (
 	"fmt"
+	"html/template"
 	"net/http"
 	"path/filepath"
 	"strconv"
 	"strings"
-	"text/template"

 	"github.com/drakkan/sftpgo/dataprovider"
 	"github.com/drakkan/sftpgo/sftpd"
--- a/templates/user.html
+++ b/templates/user.html
@ -48,7 +48,7 @@
    <div class="form-group row">
        <label for="idPermissions" class="col-sm-2 col-form-label">Permissions</label>
        <div class="col-sm-10">
-            <select class="form-control id=" idPermissions" name="permissions" required multiple>
+            <select class="form-control" id="idPermissions" name="permissions" required multiple>
                {{range $validPerm := .ValidPerms}}
                <option value="{{$validPerm}}"
                    {{range $perm := $.User.Permissions}}{{if eq $perm $validPerm}}selected{{end}}{{end}}>{{$validPerm}}