db4s: Escape another user supplied string, for safety

justinclift · justinclift · commit cd9d065a5364 · 2023-03-04T19:04:49.000+11:00
diff --git a/db4s/main.go b/db4s/main.go
@@ -462,7 +462,7 @@ func licenceAddHandler(w http.ResponseWriter, r *http.Request) {
 	do := r.FormValue("display_order")
 	dispOrder, err := strconv.Atoi(do)
 	if err != nil {
-		http.Error(w, fmt.Sprintf("Invalid display order: %v", do), http.StatusBadRequest)
+		http.Error(w, fmt.Sprintf("Invalid display order: %v", html.EscapeString(do)), http.StatusBadRequest)
 		return
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -462,7 +462,7 @@ func licenceAddHandler(w http.ResponseWriter, r *http.Request) {`
`462`	`462`	`do := r.FormValue("display_order")`
`463`	`463`	`dispOrder, err := strconv.Atoi(do)`
`464`	`464`	`if err != nil {`
`465`		`- http.Error(w, fmt.Sprintf("Invalid display order: %v", do), http.StatusBadRequest)`
	`465`	`+ http.Error(w, fmt.Sprintf("Invalid display order: %v", html.EscapeString(do)), http.StatusBadRequest)`
`466`	`466`	`return`
`467`	`467`	`}`
`468`	`468`