uirules: ensure SQL query text is HTML escaped

tailscale · Aug 13, 2023 · d2ab22b · d2ab22b
1 parent 6de19cc
commit d2ab22b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/uirules/uirules.go b/uirules/uirules.go
@@ -40,7 +40,8 @@ var StripeIDLink = tailsql.UIRewriteRule{
 var FormatSQLSource = tailsql.UIRewriteRule{
 	Value: regexp.MustCompile(`(?is)\b(select\s+.*from|create\s+(table|view))\b`),
 	Apply: func(col, s string, _ []string) any {
-		return template.HTML(fmt.Sprintf(`<code><pre>%s</pre></code>`, s))
+		esc := template.HTMLEscapeString(s)
+		return template.HTML(fmt.Sprintf(`<code><pre>%s</pre></code>`, esc))
 	},
 }