From a0270b9f34d61f0be2a104c37ec7cd435f8bf0c7 Mon Sep 17 00:00:00 2001
From: code by Ben <code.by.ben@gmail.com>
Date: Sun, 13 Jul 2025 23:42:46 +1000
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 716: Reflected
 cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: code by Ben <code.by.ben@gmail.com>
---
 handler/htmx/htmx.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handler/htmx/htmx.go b/handler/htmx/htmx.go
index 21198ceb..d833298c 100644
--- a/handler/htmx/htmx.go
+++ b/handler/htmx/htmx.go
@@ -46,7 +46,7 @@ func Areacodes(c echo.Context) error {
 	query := areacode.Queries(searches...)
 	if len(query) == 0 {
 		return c.HTML(http.StatusOK,
-			"<small>No results for '"+search+"'.</small><br>")
+			"<small>No results for '"+html.EscapeString(search)+"'.</small><br>")
 	}
 	for val := range slices.Values(query) {
 		if val.AreaCode.Valid() {

From b377002ace6f8a66267d7fef27cbd4b68e25faad Mon Sep 17 00:00:00 2001
From: Code by Ben <code.by.ben@gmail.com>
Date: Mon, 14 Jul 2025 16:10:56 +1000
Subject: [PATCH 2/2] fixed copilot error

---
 handler/htmx/htmx.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/handler/htmx/htmx.go b/handler/htmx/htmx.go
index d833298c..4a6a6631 100644
--- a/handler/htmx/htmx.go
+++ b/handler/htmx/htmx.go
@@ -6,6 +6,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"html"
 	"html/template"
 	"net/http"
 	"slices"