Fix XSS vulnerabilities in snippet annotations and plugin template Change-Id: I7cd476e4cddc785eff465d6f5595bdbbe8aa9f45

commit: beee505ccd0789ca13061cf0fe54fe6c107f6308 [log] [tgz]
author: Akron <nils@diewald-online.de> Wed May 20 09:39:45 2026 +0200
committer: Akron <nils@diewald-online.de> Wed May 20 09:39:45 2026 +0200
tree: f86c8f281dcfadcbf6c4f0f1217b17f431515f02
parent: 496fc0afd3d2c5ba81c5c7ad9041bacf7bcccd9c [diff] [blame]
diff --git a/mapper/response.go b/mapper/response.go
index 3ac6b02..61ff94b 100644
--- a/mapper/response.go
+++ b/mapper/response.go

@@ -2,6 +2,7 @@
 
 import (
 	"fmt"
+	"html"
 	"maps"
 	"strings"
 
@@ -253,7 +254,7 @@
 
 				annotated := escapeXMLText(trimmed)
 				for i := len(annotationStrings) - 1; i >= 0; i-- {
-					annotated = fmt.Sprintf(`<span title="%s" class="notinindex">%s</span>`, annotationStrings[i], annotated)
+					annotated = fmt.Sprintf(`<span title="%s" class="notinindex">%s</span>`, html.EscapeString(annotationStrings[i]), annotated)
 				}
 				result.WriteString(annotated)
 				result.WriteString(trailingWS)
commit	beee505ccd0789ca13061cf0fe54fe6c107f6308	[log] [tgz]
author	Akron <nils@diewald-online.de>	Wed May 20 09:39:45 2026 +0200
committer	Akron <nils@diewald-online.de>	Wed May 20 09:39:45 2026 +0200
tree	f86c8f281dcfadcbf6c4f0f1217b17f431515f02
parent	496fc0afd3d2c5ba81c5c7ad9041bacf7bcccd9c [diff] [blame]