templates: Hopefully escape all template inputs

2025-08-02 18:20:35 +02:00
parent 4125de8208
commit 4d2d0f9722
24 changed files with 116 additions and 116 deletions
--- a/src/root/all.tt
+++ b/src/root/all.tt
@@ -11,7 +11,7 @@ titleHTML="Latest builds" _
     "") %]
 [% PROCESS common.tt %]
-<p>Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% total %] in order of descending finish time.</p>
+<p>Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% HTML.escape(total) %] in order of descending finish time.</p>
 [% INCLUDE renderBuildList hideProjectName=project hideJobsetName=jobset hideJobName=job %]
 [% INCLUDE renderPager %]
--- a/src/root/build.tt
+++ b/src/root/build.tt
@@ -86,7 +86,7 @@ END;
              [% ELSIF step.status == 11 %]
                <span class="error">Output limit exceeded</span>
              [% ELSIF step.status == 12 %]
-                <span class="error">Non-determinism detected</span> [% IF step.timesbuilt %] after [% step.timesbuilt %] times[% END %]
+                <span class="error">Non-determinism detected</span> [% IF step.timesbuilt %] after [% HTML.escape(step.timesbuilt) %] times[% END %]
              [% ELSIF step.errormsg %]
                <span class="error">Failed</span>: <em>[% HTML.escape(step.errormsg) %]</em>
              [% ELSE %]
@@ -507,14 +507,14 @@ END;
            <div>
              [% IF not runcommandlog.is_running() %]
                [% IF runcommandlog.did_fail_with_signal() %]
-                  Exit signal: [% runcommandlog.signal %]
+                  Exit signal: [% runcommandlog.signal | html %]
                  [% IF runcommandlog.core_dumped %]
                    (Core Dumped)
                  [% END %]
                [% ELSIF runcommandlog.did_fail_with_exec_error() %]
-                  Exec error: [% runcommandlog.error_number %]
+                  Exec error: [% runcommandlog.error_number | html %]
                [% ELSIF not runcommandlog.did_succeed() %]
-                  Exit code: [% runcommandlog.exit_code %]
+                  Exit code: [% runcommandlog.exit_code | html %]
                [% END %]
              [% END %]
            </div>
--- a/src/root/channel-contents.tt
+++ b/src/root/channel-contents.tt
@@ -7,7 +7,7 @@ href="http://nixos.org/">Nix package manager</a>.  If you have Nix
 installed, you can subscribe to this channel by once executing</p>
 <div class="card bg-light"><div class="card-body"><pre>
-<span class="shell-prompt">$ </span>nix-channel --add [% curUri +%]
+<span class="shell-prompt">$ </span>nix-channel --add [% HTML.escape(curUri) +%]
 <span class="shell-prompt">$ </span>nix-channel --update
 </pre></div></div>
@@ -49,9 +49,9 @@ installed, you can subscribe to this channel by once executing</p>
      [% b = pkg.build %]
      <tr>
-        <td><a [% HTML.attributes(href => c.uri_for('/build' b.id)) %]>[% b.id %]</a></td>
+        <td><a [% HTML.attributes(href => c.uri_for('/build' b.id)) %]>[% HTML.escape(b.id) %]</a></td>
-        <td><tt>[% b.get_column('releasename') || b.nixname %]</tt></td>
+        <td><tt>[% b.get_column('releasename') || b.nixname | html %]</tt></td>
-        <td><tt>[% b.system %]</tt></td>
+        <td><tt>[% b.system | html %]</tt></td>
        <td>
          [% IF b.homepage %]
            <a [% HTML.attributes(href => b.homepage) %]>[% HTML.escape(b.description) %]</a>
--- a/src/root/common.tt
+++ b/src/root/common.tt
@@ -55,17 +55,17 @@ BLOCK renderRelativeDate %]
 [% END;
 BLOCK renderProjectName %]
-<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/project' project)) %]><tt>[% project %]</tt></a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/project' project)) %]><tt>[% project | html %]</tt></a>
 [% END;
 BLOCK renderJobsetName %]
-<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/jobset' project jobset)) %]><tt>[% jobset %]</tt></a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/jobset' project jobset)) %]><tt>[% jobset | html %]</tt></a>
 [% END;
 BLOCK renderJobName %]
-<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/job' project jobset job)) %]>[% job %]</a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/job' project jobset job)) %]>[% job | html %]</a>
 [% END;
@@ -98,7 +98,7 @@ BLOCK renderDrvInfo;
    .substr(0, -4); # strip `.drv`
  IF drvname != releasename;
    IF step.type == 0; action = "Build"; ELSE; action = "Substitution"; END;
-    IF drvname; %]<em> ([% action %] of [% drvname %])</em>[% END;
+    IF drvname; %]<em> ([% HTML.escape(action) %] of [% HTML.escape(drvname) %])</em>[% END;
  END;
 END;
@@ -140,20 +140,20 @@ BLOCK renderBuildListBody;
      [% IF showSchedulingInfo %]
        <td>[% IF busy %]<span class="badge badge-success">Started</span>[% ELSE %]<span class="badge badge-secondary">Queued</span>[% END %]</td>
      [% END %]
-      <td><a class="row-link" [% HTML.attributes(href => link) %]>[% build.id %]</a></td>
+      <td><a class="row-link" [% HTML.attributes(href => link) %]>[% HTML.escape(build.id) %]</a></td>
      [% IF !hideJobName %]
        <td>
-          <a [% HTML.attributes(href => link) %]>[% IF !hideJobsetName %][% build.jobset.get_column("project") %]:[% build.jobset.get_column("name") %]:[% END %][% build.get_column("job") %]</a>
+          <a [% HTML.attributes(href => link) %]>[% IF !hideJobsetName %][% HTML.escape(build.jobset.get_column("project")) %]:[% HTML.escape(build.jobset.get_column("name")) %]:[% END %][% HTML.escape(build.get_column("job")) %]</a>
          [% IF showStepName %]
            [% INCLUDE renderDrvInfo step=build.buildsteps releasename=build.nixname %]
          [% END %]
        </td>
      [% END %]
      <td class="nowrap">[% t = showSchedulingInfo ? build.timestamp : build.stoptime; IF t; INCLUDE renderRelativeDate timestamp=(showSchedulingInfo ? build.timestamp : build.stoptime); ELSE; "-"; END %]</td>
-      <td>[% !showSchedulingInfo and build.get_column('releasename') ? build.get_column('releasename') : build.nixname %]</td>
+      <td>[% !showSchedulingInfo and build.get_column('releasename') ? HTML.escape(build.get_column('releasename')) : HTML.escape(build.nixname) %]</td>
-      <td class="nowrap"><tt>[% build.system %]</tt></td>
+      <td class="nowrap"><tt>[% build.system | html %]</tt></td>
      [% IF showDescription %]
-        <td>[% build.description %]</td>
+        <td>[% HTML.escape(build.description) %]</td>
      [% END %]
    </tr>
  [% END;
@@ -176,11 +176,11 @@ BLOCK renderBuildList;
 END;
-BLOCK renderLink %]<a [% HTML.attributes(href => uri) %]>[% title %]</a>[% END;
+BLOCK renderLink %]<a [% HTML.attributes(href => uri) %]>[% HTML.escape(title) %]</a>[% END;
 BLOCK maybeLink;
-  IF uri %]<a [% HTML.attributes(href => uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% content %]</a>[% ELSE; content; END;
+  IF uri %]<a [% HTML.attributes(href => uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% HTML.escape(content) %]</a>[% ELSE; HTML.escape(content); END;
 END;
@@ -192,7 +192,7 @@ BLOCK renderSelection;
          <label class="radio inline">
            <input type="radio" [% HTML.attributes(id => param, name => param, value => name) %]
              [% IF name == curValue; "checked='1'"; END %]>
-              [% options.$name %]
+              [% HTML.escape(options.$name) %]
            </input>
          </label>
        [% END %]
@@ -200,7 +200,7 @@ BLOCK renderSelection;
    [% ELSE %]
      <select class="custom-select" [% HTML.attributes(id => param, name => param) %]>
        [% FOREACH name IN options.keys.sort %]
-          <option [% IF name == curValue; "selected='selected'"; END; " "; HTML.attributes(value => name) %]>[% options.$name %]</option>
+          <option [% IF name == curValue; "selected='selected'"; END; " "; HTML.attributes(value => name) %]>[% HTML.escape(options.$name) %]</option>
        [% END %]
      </select>
    [% END;
@@ -216,12 +216,12 @@ BLOCK editString; %]
 BLOCK renderFullBuildLink;
-  INCLUDE renderFullJobNameOfBuild build=build %] <a [% HTML.attributes(href => c.uri_for('/build' build.id)) %]>build [% build.id %]</a>[%
+  INCLUDE renderFullJobNameOfBuild build=build %] <a [% HTML.attributes(href => c.uri_for('/build' build.id)) %]>build [% HTML.escape(build.id) %]</a>[%
 END;
 BLOCK renderBuildIdLink; %]
-<a [% HTML.attributes(href => c.uri_for('/build' id)) %]>build [% id %]</a>
+<a [% HTML.attributes(href => c.uri_for('/build' id)) %]>build [% HTML.escape(id) %]</a>
 [% END;
@@ -320,7 +320,7 @@ END;
 BLOCK renderShortInputValue;
  IF input.type == "build" || input.type == "sysbuild" %]
-    <a [% HTML.attributes(href => c.uri_for('/build' input.dependency.id)) %]>[% input.dependency.id %]</a>
+    <a [% HTML.attributes(href => c.uri_for('/build' input.dependency.id)) %]>[% HTML.escape(input.dependency.id) %]</a>
  [% ELSIF input.type == "string" %]
    <tt>"[% HTML.escape(input.value) %]"</tt>
  [% ELSIF input.type == "nix" || input.type == "boolean" %]
@@ -338,7 +338,7 @@ BLOCK renderDiffUri;
    url = bi1.uri;
    path = url.replace(base, '');
    IF url.match(base) %]
-      <a target="_blank" [% HTML.attributes(href => m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision)) %]>[% contents %]</a>
+      <a target="_blank" [% HTML.attributes(href => m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision)) %]>[% HTML.escape(contents) %]</a>
      [% nouri = 0;
    END;
  END;
@@ -353,7 +353,7 @@ BLOCK renderDiffUri;
        rev2 = bi2.revision,
        type = bi1.type,
        branch = branch
-      })) %]>[% contents %]</a>
+      })) %]>[% HTML.escape(contents) %]</a>
    [% ELSE;
      contents;
    END;
@@ -369,8 +369,8 @@ BLOCK renderInputs; %]
    <tbody>
      [% FOREACH input IN inputs %]
        <tr>
-          <td><tt>[% input.name %]</tt></td>
+          <td><tt>[% input.name | html %]</tt></td>
-          <td>[% type = input.type; inputTypes.$type %]</td>
+          <td>[% type = input.type; HTML.escape(inputTypes.$type) %]</td>
          <td>
            [% IF input.type == "build" || input.type == "sysbuild" %]
              [% INCLUDE renderFullBuildLink build=input.dependency %]
@@ -383,7 +383,7 @@ BLOCK renderInputs; %]
            [% END %]
          </td>
          <td>[% IF input.revision %][% HTML.escape(input.revision) %][% END %]</td>
-          <td><tt>[% input.path %]</tt></td>
+          <td><tt>[% input.path | html %]</tt></td>
        </tr>
      [% END %]
    </tbody>
@@ -407,33 +407,33 @@ BLOCK renderInputDiff; %]
          IF bi1.name == bi2.name;
            IF bi1.type == bi2.type;
              IF bi1.value != bi2.value || bi1.uri != bi2.uri %]
-                <tr><td><b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt></td></tr>
+                <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt></td></tr>
              [% ELSIF bi1.uri == bi2.uri && bi1.revision != bi2.revision %]
                [% IF bi1.type == "git" %]
                  <tr><td>
-                    <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision.substr(0, 12) _ ' to ' _ bi2.revision.substr(0, 12)) %]</tt>
+                    <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision.substr(0, 12) _ ' to ' _ bi2.revision.substr(0, 12)) %]</tt>
                  </td></tr>
                [% ELSE %]
                  <tr><td>
-                    <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %]</tt>
+                    <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %]</tt>
                  </td></tr>
                [% END %]
              [% ELSIF bi1.dependency.id != bi2.dependency.id || bi1.path != bi2.path %]
                <tr><td>
-                  <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt>
+                  <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt>
                  <br/>
                  <br/>
                  [% INCLUDE renderInputDiff inputs1=bi1.dependency.inputs inputs2=bi2.dependency.inputs nestedDiff=1 nestLevel=nestLevel+1 %]
                </td></tr>
              [% END %]
            [% ELSE %]
-              <tr><td><b>[% bi1.name %]</b></td><td>Changed input type from '[% type = bi1.type; inputTypes.$type %]' to '[% type = bi2.type; inputTypes.$type %]'</td></tr>
+              <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td>Changed input type from '[% type = bi1.type; HTML.escape(inputTypes.$type) %]' to '[% type = bi2.type; HTML.escape(inputTypes.$type) %]'</td></tr>
            [% END;
            deletedInput = 0;
          END;
        END;
        IF deletedInput == 1 %]
-          <tr><td><b>[% bi1.name %]</b></td><td>Input not present in this build.</td></tr>
+          <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td>Input not present in this build.</td></tr>
        [% END;
      END;
    END %]
@@ -455,13 +455,13 @@ BLOCK renderShortEvalInput;
  IF input.type == "svn" || input.type == "svn-checkout" || input.type == "bzr" || input.type == "bzr-checkout" %]
    r[% input.revision %]
  [% ELSIF input.type == "git" %]
-    <tt>[% input.revision.substr(0, 7) %]</tt>
+    <tt>[% input.revision.substr(0, 7) | html %]</tt>
  [% ELSIF input.type == "hg" %]
-    <tt>[% input.revision.substr(0, 12) %]</tt>
+    <tt>[% input.revision.substr(0, 12) | html %]</tt>
  [% ELSIF input.type == "build" || input.type == "sysbuild" %]
-    <a [% HTML.attributes(href => c.uri_for('/build' input.get_column('dependency'))) %]>[% input.get_column('dependency') %]</a>
+    <a [% HTML.attributes(href => c.uri_for('/build' input.get_column('dependency'))) %]>[% HTML.escape(input.get_column('dependency')) %]</a>
  [% ELSE %]
-    <tt>[% input.revision %]</tt>
+    <tt>[% input.revision | html %]</tt>
  [% END;
 END;
@@ -498,7 +498,7 @@ BLOCK renderEvals %]
        eval = e.eval;
        link = c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %]
        <tr>
-          <td><a class="row-link" [% HTML.attributes(href => link) %]>[% eval.id %]</a></td>
+          <td><a class="row-link" [% HTML.attributes(href => link) %]>[% HTML.escape(eval.id) %]</a></td>
          [% IF !jobset && !build %]
            <td>[% INCLUDE renderFullJobsetName project=eval.jobset.project.name jobset=eval.jobset.name %]</td>
          [% END %]
@@ -507,7 +507,7 @@ BLOCK renderEvals %]
            [% IF e.changedInputs.size > 0;
              sep='';
              FOREACH input IN e.changedInputs;
-                sep; %] [% input.name %] → [% INCLUDE renderShortEvalInput input=input;
+                sep; %] [% HTML.escape(input.name) %] → [% INCLUDE renderShortEvalInput input=input;
                sep=', ';
              END;
            ELSE %]
@@ -518,23 +518,23 @@ BLOCK renderEvals %]
            [% END %]
          </td>
          <td align='right' class="nowrap">
-            <span class="badge badge-success">[% e.nrSucceeded %]</span>
+            <span class="badge badge-success">[% HTML.escape(e.nrSucceeded) %]</span>
          </td>
          <td align="right" class="nowrap">
            [% IF e.nrFailed > 0 %]
-            <span class="badge badge-danger">[% e.nrFailed %]</span>
+            <span class="badge badge-danger">[% HTML.escape(e.nrFailed) %]</span>
            [% END %]
          </td>
          <td align="right" class="nowrap">
            [% IF e.nrScheduled > 0 %]
-            <span class="badge badge-secondary">[% e.nrScheduled %]</span>
+            <span class="badge badge-secondary">[% HTML.escape(e.nrScheduled) %]</span>
            [% END %]
          </td>
          <td align='right' class="nowrap">
            [% IF e.diff > 0 %]
-              <span class='badge badge-success'><strong>+[% e.diff %]</strong></span>
+              <span class='badge badge-success'><strong>+[% HTML.escape(e.diff) %]</strong></span>
            [% ELSIF e.diff < 0 && e.nrScheduled == 0 %]
-              <span class='badge badge-danger'><strong>[% e.diff %]</strong></span>
+              <span class='badge badge-danger'><strong>[% HTML.escape(e.diff) %]</strong></span>
            [% END %]
          </td>
        </tr>
@@ -553,14 +553,14 @@ BLOCK renderLogLinks %]
 BLOCK makeLazyTab %]
-  <div id="[% tabName %]" class="tab-pane">
+  <div [% HTML.attributes(id => tabName) %] class="tab-pane">
    <center><span class="spinner-border spinner-border-sm"/></center>
  </div>
  <script>
    [% IF callback.defined %]
-    $(function() { makeLazyTab("[% tabName %]", "[% uri %]", [% callback %] ); });
+    $(function() { makeLazyTab("[% HTML.escape(tabName) %]", "[% uri %]", [% callback %] ); });
    [% ELSE %]
-    $(function() { makeLazyTab("[% tabName %]", "[% uri %]", null ); });
+    $(function() { makeLazyTab("[% HTML.escape(tabName) %]", "[% uri %]", null ); });
    [% END %]
  </script>
 [% END;
@@ -587,7 +587,7 @@ BLOCK navItem %]
  <li class="nav-item">
    <a class="nav-link[% IF "${root}${curUri}" == uri %] active[% END %]"
      [% HTML.attributes(href => uri) %]>
-      [% title %]
+      [% HTML.escape(title) %]
    </a>
  </li>
 [% END;
@@ -657,17 +657,17 @@ BLOCK renderJobsetOverview %]
        <td><span class="[% class %]">[% successrate FILTER format('%d') %]%</span></td>
        <td>
          [% IF j.get_column('nrsucceeded') > 0 %]
-            <span class="badge badge-success">[% j.get_column('nrsucceeded') %]</span>
+            <span class="badge badge-success">[% HTML.escape(j.get_column('nrsucceeded')) %]</span>
          [% END %]
        </td>
        <td>
          [% IF j.get_column('nrfailed') > 0 %]
-            <span class="badge badge-danger">[% j.get_column('nrfailed') %]</span>
+            <span class="badge badge-danger">[% HTML.escape(j.get_column('nrfailed')) %]</span>
          [% END %]
        </td>
        <td>
          [% IF j.get_column('nrscheduled') > 0 %]
-            <span class="badge badge-secondary">[% j.get_column('nrscheduled') %]</span>
+            <span class="badge badge-secondary">[% HTML.escape(j.get_column('nrscheduled')) %]</span>
          [% END %]
        </td>
      </tr>
@@ -700,7 +700,7 @@ BLOCK createChart %]
  <script type="text/javascript">
    $(function() {
-      showChart("[% id %]", "[% dataUrl %]", "[% yaxis %]");
+      showChart("[% HTML.escape(id) %]", "[% dataUrl | uri %]", "[% yaxis %]");
    });
  </script>
--- a/src/root/dashboard-my-jobs-tab.tt
+++ b/src/root/dashboard-my-jobs-tab.tt
@@ -9,7 +9,7 @@
 [% ELSE %]
-  <p>Below are the most recent builds of the [% builds.size %] jobs of which you
+  <p>Below are the most recent builds of the [% HTML.escape(builds.size) %] jobs of which you
  (<tt>[% HTML.escape(user.emailaddress) %]</tt>) are a maintainer.</p>
  [% INCLUDE renderBuildList %]
--- a/src/root/deps.tt
+++ b/src/root/deps.tt
@@ -3,20 +3,20 @@
 [% BLOCK renderNode %]
  <li>
    [% IF done.${node.path} %]
-      <tt>[% node.name %]</tt> (<a href="#[% done.${node.path} %]"><em>repeated</em></a>)
+      <tt>[% node.name | html %]</tt> (<a [% HTML.attributes(href => "#" _ done.${node.path}) %]><em>repeated</em></a>)
    [% ELSE %]
      [% done.${node.path} = global.nodeId; global.nodeId = global.nodeId + 1; %]
      [% IF node.refs.size > 0 %]
        <a href="javascript:" class="tree-toggle"></a>
      [% END %]
-      <span id="[% done.${node.path} %]"><span class="dep-tree-line">
+      <span [% HTML.attributes(id => done.${node.path}) %]><span class="dep-tree-line">
        [% IF node.buildStep %]
          <a [% HTML.attributes(href => c.uri_for('/build' node.buildStep.get_column('build'))) %]><tt>[% node.name %]</tt></a> [%
            IF buildStepLogExists(node.buildStep);
              INCLUDE renderLogLinks url=c.uri_for('/build' node.buildStep.get_column('build') 'nixlog' node.buildStep.stepnr);
            END %]
        [% ELSE %]
-          <tt>[% node.name %]</tt> (<em>no info</em>)
+          <tt>[% node.name | html %]</tt> (<em>no info</em>)
        [% END %]
      </span></span>
      [% IF isRoot %]
--- a/src/root/edit-jobset.tt
+++ b/src/root/edit-jobset.tt
@@ -7,17 +7,17 @@
 [% USE format %]
 [% BLOCK renderJobsetInput %]
-  <tr class="input [% extraClass %]" [% IF id %]id="[% id %]"[% END %]>
+  <tr class="input [% extraClass %]" [% IF id %][% HTML.attributes(id => id) %][% END %]>
    <td>
      <button type="button" class="btn btn-warning" onclick='$(this).parents(".input").remove()'><i class="fas fa-trash"></i></button>
    </td>
    <td>
-      <input type="text" id="[% baseName %]-name" name="[% baseName %]-name" [% HTML.attributes(value => input.name) %]/>
+      <input type="text" [% HTML.attributes(id => baseName _ "-name", name => baseName _ "-name", value => input.name) %] />
    </td>
    <td>
      [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes edit=1 %]
    </td>
-    <td id="[% baseName %]">
+    <td [% HTML.attributes(id => baseName) %]>
      [% IF createFromEval %]
        [% value = (input.uri or input.value); IF input.revision; value = value _ " " _ input.revision; END;
           warn = input.altnr != 0;
@@ -36,7 +36,7 @@
      <input style="width: 95%" type="text" [% HTML.attributes(value => value, id => "$baseName-value", name => "$baseName-value") %]/>
    </td>
    <td>
-      <input type="checkbox" id="[% baseName %]-emailresponsible" name="[% baseName %]-emailresponsible" [% IF input.emailresponsible; 'checked="checked"'; END %]/>
+      <input type="checkbox" [% HTML.attributes(id => "$baseName-emailresponsible", name => "$baseName-emailresponsible") %] [% IF input.emailresponsible; 'checked="checked"'; END %]/>
    </td>
  </tr>
 [% END %]
@@ -149,7 +149,7 @@
    <label class="col-sm-3" for="editjobsetschedulingshares">
      Scheduling shares
      [% IF totalShares %]
-        <small class="form-text text-muted">([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% totalShares %] shares)</small>
+        <small class="form-text text-muted">([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% HTML.escape(totalShares) %] shares)</small>
      [% END %]
    </label>
    <div class="col-sm-9">
--- a/src/root/evals.tt
+++ b/src/root/evals.tt
@@ -10,7 +10,7 @@
 [% PROCESS common.tt %]
 <p>Showing evaluations [% (page - 1) * resultsPerPage + 1 %] - [%
-(page - 1) * resultsPerPage + evals.size %] out of [% total %].</p>
+(page - 1) * resultsPerPage + evals.size %] out of [% HTML.escape(total) %].</p>
 [% INCLUDE renderEvals %]
--- a/src/root/job.tt
+++ b/src/root/job.tt
@@ -46,7 +46,7 @@ removed or had an evaluation error.</div>
      its success or failure is determined entirely by the result of
      building its <em>constituent jobs</em>. The table below shows
      the status of each constituent job for the [%
-      aggregates.keys.size %] most recent builds of the
+      HTML.escape(aggregates.keys.size) %] most recent builds of the
      aggregate.</div>
      [% aggs = aggregates.keys.nsort.reverse %]
--- a/src/root/jobset-channels-tab.tt
+++ b/src/root/jobset-channels-tab.tt
@@ -22,7 +22,7 @@
    <tbody>
      [% FOREACH chan IN channels-%]
        <tr>
-          <th><span><a [% HTML.attributes(href => c.uri_for('/channel/custom' project.name jobset.name chan)) %]>[% chan %]</a></span></th>
+          <th><span><a [% HTML.attributes(href => c.uri_for('/channel/custom' project.name jobset.name chan)) %]>[% HTML.escape(chan) %]</a></span></th>
          [% FOREACH eval IN evalIds %]
            <td>[% r = evals.$eval.builds.$chan; IF r.id %]<a [% HTML.attributes(href => c.uri_for('/build' r.id)) %]>[% INCLUDE renderBuildStatusIcon size=16 build=r %]</a>[% END %]</td>
          [% END %]
--- a/src/root/jobset-eval.tt
+++ b/src/root/jobset-eval.tt
@@ -14,7 +14,7 @@
    [% IF project.jobsets_rs.count > 1 %]
      <div class="dropdown-divider"></div>
      [% FOREACH j IN project.jobsets.sort('name'); IF j.name != jobset.name %]
-        <a class="dropdown-item" href="?compare=[% j.name %]&full=[% full ? 1 : 0 %]">Jobset <tt>[% project.name %]:[% j.name %]</tt></a>
+        <a class="dropdown-item" href="?compare=[% j.name | uri %]&full=[% full ? 1 : 0 %]">Jobset <tt>[% project.name | html %]:[% j.name | html %]</tt></a>
      [% END; END %]
    [% END %]
  </div>
@@ -23,13 +23,13 @@
 <p>This evaluation was performed [% IF eval.flake %]from the flake
 <tt>[% HTML.escape(eval.flake) %]</tt>[% END %] on [% INCLUDE renderDateTime
 timestamp=eval.timestamp %]. Fetching the dependencies took [%
-eval.checkouttime %]s and evaluation took [% eval.evaltime %]s.</p>
+eval.checkouttime %]s and evaluation took [% HTML.escape(eval.evaltime) %]s.</p>
 [% IF otherEval %]
 <p>Comparisons are relative to [% INCLUDE renderFullJobsetName
 project=otherEval.jobset.project.name jobset=otherEval.jobset.name %] evaluation <a [%
 HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'),
-[otherEval.id])) %]>[% otherEval.id %]</a>.</p>
+[otherEval.id])) %]>[% HTML.escape(otherEval.id) %]</a>.</p>
 [% END %]
 <form>
@@ -63,28 +63,28 @@ HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'),
  [% END %]
  [% IF aborted.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-aborted" data-toggle="tab"><span class="text-warning">Aborted / Timed out Jobs ([% aborted.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-aborted" data-toggle="tab"><span class="text-warning">Aborted / Timed out Jobs ([% HTML.escape(aborted.size) %])</span></a></li>
  [% END %]
  [% IF nowFail.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-now-fail" data-toggle="tab"><span class="text-warning">Newly Failing Jobs ([% nowFail.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-now-fail" data-toggle="tab"><span class="text-warning">Newly Failing Jobs ([% HTML.escape(nowFail.size) %])</span></a></li>
  [% END %]
  [% IF nowSucceed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-now-succeed" data-toggle="tab"><span class="text-success">Newly Succeeding Jobs ([% nowSucceed.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-now-succeed" data-toggle="tab"><span class="text-success">Newly Succeeding Jobs ([% HTML.escape(nowSucceed.size) %])</span></a></li>
  [% END %]
  [% IF new.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-new" data-toggle="tab">New Jobs ([% new.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-new" data-toggle="tab">New Jobs ([% HTML.escape(new.size) %])</a></li>
  [% END %]
  [% IF removed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-removed" data-toggle="tab">Removed Jobs ([% removed.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-removed" data-toggle="tab">Removed Jobs ([% HTML.escape(removed.size) %])</a></li>
  [% END %]
  [% IF stillFail.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-still-fail" data-toggle="tab">Still Failing Jobs ([% stillFail.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-still-fail" data-toggle="tab">Still Failing Jobs ([% HTML.escape(stillFail.size) %])</a></li>
  [% END %]
  [% IF stillSucceed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-still-succeed" data-toggle="tab">Still Succeeding Jobs ([% stillSucceed.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-still-succeed" data-toggle="tab">Still Succeeding Jobs ([% HTML.escape(stillSucceed.size) %])</a></li>
  [% END %]
  [% IF unfinished.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-unfinished" data-toggle="tab">Queued Jobs ([% unfinished.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-unfinished" data-toggle="tab">Queued Jobs ([% HTML.escape(unfinished.size) %])</a></li>
  [% END %]
  <li class="nav-item"><a class="nav-link" href="#tabs-inputs" data-toggle="tab">Inputs</a></li>
@@ -132,7 +132,7 @@ HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'),
        [% FOREACH j IN removed.slice(0,(size > max ? max : size) - 1) %]
          <tr>
            <td>[% INCLUDE renderJobName project=project.name jobset=jobset.name job=j.job %]</td>
-            <td><tt>[% j.system %]</tt></td>
+            <td><tt>[% j.system | html %]</tt></td>
          </tr>
        [% END %]
        [% IF size > max; params = c.req.params; params.full = 1 %]
--- a/src/root/jobset-jobs-tab.tt
+++ b/src/root/jobset-jobs-tab.tt
@@ -41,7 +41,7 @@
 [% ELSE %]
  [% IF nrJobs > jobs.size %]
-    <div class="alert alert-info">Showing the first [% jobs.size %] jobs.  <a href="javascript:setFilter('filter=%')">Show all [% nrJobs %] jobs...</a></div>
+    <div class="alert alert-info">Showing the first [% HTML.escape(jobs.size) %] jobs.  <a href="javascript:setFilter('filter=%')">Show all [% HTML.escape(nrJobs) %] jobs...</a></div>
  [% END %]
  [% evalIds = evals.keys.nsort.reverse %]
--- a/src/root/jobset.tt
+++ b/src/root/jobset.tt
@@ -6,14 +6,14 @@
 [% BLOCK renderJobsetInput %]
-  <tr class="input [% extraClass %]" [% IF id %]id="[% id %]"[% END %]>
+  <tr class="input [% extraClass %]" [% IF id %][% HTML.attributes(id => id) %][% END %]>
    <td>
      <tt>[% HTML.escape(input.name) %]</tt>
    </td>
    <td>
      [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes %]
    </td>
-    <td class="inputalts" id="[% baseName %]">
+    <td class="inputalts" [% HTML.attributes(id => baseName) %]>
      [% FOREACH alt IN input.search_related('jobsetinputalts', {}, { order_by => 'altnr' }) %]
        <tt class="inputalt">
          [% IF input.type == "string" %]
@@ -153,11 +153,11 @@
      [% END %]
      <tr>
        <th>Check interval:</th>
-        <td>[% jobset.checkinterval || "<em>disabled</em>"  %]</td>
+        <td>[% HTML.escape(jobset.checkinterval) || "<em>disabled</em>"  %]</td>
      </tr>
      <tr>
        <th>Scheduling shares:</th>
-        <td>[% jobset.schedulingshares %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% totalShares %] shares)[% END %]</td>
+        <td>[% HTML.escape(jobset.schedulingshares) %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% HTML.escape(totalShares) %] shares)[% END %]</td>
      </tr>
      <tr>
        <th>Enable Dynamic RunCommand Hooks:</th>
@@ -175,7 +175,7 @@
      [% END %]
      <tr>
        <th>Number of evaluations to keep:</th>
-        <td>[% jobset.keepnr %]</td>
+        <td>[% HTML.escape(jobset.keepnr) %]</td>
      </tr>
    </table>
--- a/src/root/log.tt
+++ b/src/root/log.tt
@@ -14,7 +14,7 @@
  the build log (<a [% HTML.attributes(href => step ? c.uri_for('/build' build.id 'nixlog' step.stepnr, 'raw')
  : c.uri_for('/build' build.id 'log', 'raw')) %]>raw</a>) of derivation <tt>[% IF step; step.drvpath; ELSE; build.drvpath; END %]</tt>.
  [% IF step && step.machine %]
-    It was built on <tt>[% step.machine %]</tt>.
+    It was built on <tt>[% step.machine | html %]</tt>.
  [% END %]
  [% IF tail %]
  The <a [% HTML.attributes(href => step ? c.uri_for('/build' build.id 'nixlog' step.stepnr)
@@ -37,7 +37,7 @@
        [% IF tail %]
        /* The server may give us a full log (e.g. if the log is in
           S3). So extract the last lines. */
-        log_data = log_data.split("\n").slice(-[% tail %]).join("\n");
+        log_data = log_data.split("\n").slice(-[% HTML.escape(tail) %]).join("\n");
        [% END %]
        $("#contents").text(log_data);
--- a/src/root/machine-status.tt
+++ b/src/root/machine-status.tt
@@ -21,22 +21,22 @@
          <tt [% IF m.value.disabled %]style="text-decoration: line-through;"[% END %]>[% INCLUDE renderMachineName machine=m.key %]</tt>
          [% IF m.value.primarySystemType %]
            <span class="muted" style="font-weight: normal;">
-              (<tt>[% m.value.primarySystemType %]</tt>)
+              (<tt>[% m.value.primarySystemType | html %]</tt>)
            </span>
            &nbsp;
            [% WRAPPER makePopover title="Details" classes="btn-secondary btn-sm" %]
              <ul class="list-unstyled mb-0">
-                <li><b>System types:&nbsp;</b>[% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system %]</tt>[% END %]</li>
+                <li><b>System types:&nbsp;</b>[% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system | html%]</tt>[% END %]</li>
-                <li><b>Supported Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.supportedFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat %]</tt>[% END %]</li>
+                <li><b>Supported Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.supportedFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat| html %]</tt>[% END %]</li>
-                <li><b>Mandatory Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.mandatoryFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat %]</tt>[% END %]</li>
+                <li><b>Mandatory Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.mandatoryFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat| html %]</tt>[% END %]</li>
                <li><b>Capacity:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasCapacity %]&nbsp;<b>Static:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasStaticCapacity %]&nbsp;<b>Dynamic:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasDynamicCapacity %]</li>
-                <li><b>Scheduling Score:&nbsp;</b>[% m.value.score %]</li>
+                <li><b>Scheduling Score:&nbsp;</b>[% HTML.escape(m.value.score) %]</li>
-                <li><b>Load:&nbsp;</b><tt>[% pretty_load(m.value.stats.load1) %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load5) %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load15) %]</tt></li>
+                <li><b>Load:&nbsp;</b><tt>[% pretty_load(m.value.stats.load1) | html %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load5) | html %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load15) | html %]</tt></li>
-                <li><b>Memory:&nbsp;</b><tt>[% human_bytes(m.value.stats.memUsage) %]</tt> of <tt>[% human_bytes(m.value.memTotal) %]</tt> used (<tt>[% human_bytes(m.value.memTotal - m.value.stats.memUsage) %]</tt> free)</li>
+                <li><b>Memory:&nbsp;</b><tt>[% human_bytes(m.value.stats.memUsage) | html %]</tt> of <tt>[% human_bytes(m.value.memTotal) | html %]</tt> used (<tt>[% human_bytes(m.value.memTotal - m.value.stats.memUsage) | html %]</tt> free)</li>
                [% pressure = m.value.stats.pressure %]
                [% MACRO render_pressure(title, pressure) BLOCK %]
                    [% IF pressure %]
-                        <tr><td><b>[% title %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) %]%</tt></td><td>
+                        <tr><td><b>[% HTML.escape(title) %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) | html %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) | html %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) | html %]%</tt></td><td>
                    [% END %]
                [% END %]
                [% IF pressure %]
@@ -56,7 +56,7 @@
          [% ELSE %]
            [% IF m.value.systemTypes %]
              <span class="muted" style="font-weight: normal;">
-                ([% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system %]</tt>[% END %])
+                ([% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system | html %]</tt>[% END %])
              </span>
            [% END %]
          [% END %]
@@ -76,9 +76,9 @@
          [% idle = 0 %]
          <tr>
            <td><tt>[% INCLUDE renderFullJobName project=step.project jobset=step.jobset job=step.job %]</tt></td>
-            <td><a [% HTML.attributes(href => c.uri_for('/build' step.build)) %]>[% step.build %]</a></td>
+            <td><a [% HTML.attributes(href => c.uri_for('/build' step.build)) %]>[% HTML.escape(step.build) %]</a></td>
-            <td>[% IF step.busy >= 30 %]<a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build 'nixlog' step.stepnr 'tail')) %]>[% step.stepnr %]</a>[% ELSE; step.stepnr; END %]</td>
+            <td>[% IF step.busy >= 30 %]<a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build 'nixlog' step.stepnr 'tail')) %]>[% HTML.escape(step.stepnr) %]</a>[% ELSE; HTML.escape(step.stepnr); END %]</td>
-            <td><tt>[% step.drvpath.match('-(.*)').0 %]</tt></td>
+            <td><tt>[% step.drvpath.match('-(.*)').0 | html %]</tt></td>
            <td>[% INCLUDE renderBusyStatus %]</td>
            <td style="width: 10em">[% INCLUDE renderDuration duration = curTime - step.starttime %] </td>
          </tr>
--- a/src/root/machines.tt
+++ b/src/root/machines.tt
@@ -15,11 +15,11 @@
        [% FOREACH m IN machines %]
        <tr>
            <td><input type="checkbox" name="enabled" [% IF m.value.maxJobs > 0  %]CHECKED[% END %] disabled="true" /></td>
-            <td>[% m.key %]</a></td>
+            <td>[% HTML.escape(m.key) %]</a></td>
-            <td>[% m.value.maxJobs %]</td>
+            <td>[% HTML.escape(m.value.maxJobs) %]</td>
-            <td>[% m.value.speedFactor %]</td>
+            <td>[% HTML.escape(m.value.speedFactor) %]</td>
            <td>
-                [% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END; system; END %]
+                [% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END; HTML.escape(system); END %]
            </td>
        </tr>
        [% END %]
--- a/src/root/overview.tt
+++ b/src/root/overview.tt
@@ -6,7 +6,7 @@
    [% FOREACH i IN newsItems %]
      <div class="news-item">
        [% contents = String.new(i.contents) %]
-        <h4 class="alert-heading">[% INCLUDE renderDateTime timestamp=i.createtime %] by [% i.author.fullname %]</h4>
+        <h4 class="alert-heading">[% INCLUDE renderDateTime timestamp=i.createtime %] by [% HTML.escape(i.author.fullname) %]</h4>
        [% contents.replace('\n','<br />\n') %]
      </div>
    [% END %]
--- a/src/root/queue-summary.tt
+++ b/src/root/queue-summary.tt
@@ -39,7 +39,7 @@
      [% FOREACH s IN systems %]
        <tr>
          <td><tt>[% HTML.escape(s.system) %]</tt></td>
-          <td>[% s.c %]</td>
+          <td>[% HTML.escape(s.c) %]</td>
        </tr>
      [% END %]
    </tdata>
--- a/src/root/runcommand-log.tt
+++ b/src/root/runcommand-log.tt
@@ -12,7 +12,7 @@
  is
  [% END %]
  the output of a RunCommand execution of the command <tt>[% HTML.escape(runcommandlog.command) %]</tt>
-  on <a [% HTML.attributes(href => c.uri_for('/build', build.id)) %]>Build [% build.id %]</a>.
+  on <a [% HTML.attributes(href => c.uri_for('/build', build.id)) %]>Build [% HTML.escape(build.id) %]</a>.
  [% IF tail %]
  The <a [% HTML.attributes(href => c.uri_for('/build', build.id, 'runcommandlog', runcommandlog.uuid)) %]>full log</a> is also available.
  [% END %]
@@ -33,7 +33,7 @@
        [% IF tail %]
        /* The server may give us a full log (e.g. if the log is in
           S3). So extract the last lines. */
-        log_data = log_data.split("\n").slice(-[% tail %]).join("\n");
+        log_data = log_data.split("\n").slice(-[% HTML.escape(tail) %]).join("\n");
        [% END %]
        $("#contents").text(log_data);
--- a/src/root/search.tt
+++ b/src/root/search.tt
@@ -7,7 +7,7 @@
 [% IF builds.size > 0 %]
-  <p>The following builds match your query:[% IF builds.size > limit %] <span class="text-warning">(first [% limit %] results only)</span>[% END %]</p>
+  <p>The following builds match your query:[% IF builds.size > limit %] <span class="text-warning">(first [% HTML.escape(limit) %] results only)</span>[% END %]</p>
  [% INCLUDE renderBuildList %]
@@ -58,7 +58,7 @@
 [% IF jobs.size > 0; matched = 1 %]
-  <p>The following jobs match your query:[% IF jobs.size > limit %] <span class="text-warning">(first [% limit %] results only)</span>[% END %]</p>
+  <p>The following jobs match your query:[% IF jobs.size > limit %] <span class="text-warning">(first [% HTML.escape(limit) %] results only)</span>[% END %]</p>
  <table class="table table-striped table-condensed clickable-rows">
    <thead>
--- a/src/root/steps.tt
+++ b/src/root/steps.tt
@@ -2,7 +2,7 @@
 [% PROCESS common.tt %]
 <p>Showing steps [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1)
-* resultsPerPage + steps.size %] of about [% total %] in
+* resultsPerPage + steps.size %] of about [% HTML.escape(total) %] in
 order of descending finish time.</p>
 <table class="table table-striped table-condensed clickable-rows">
@@ -24,8 +24,8 @@ order of descending finish time.</p>
        <td>[% INCLUDE renderBuildStatusIcon buildstatus=step.status size=16 %]</td>
        <td><tt>[% step.drvpath.match('-(.*).drv').0 %]</tt></td>
        <td><tt>[% INCLUDE renderFullJobNameOfBuild build=step.build %]</tt></td>
-        <td><a [% HTML.attributes(href => c.uri_for('/build' step.build.id)) %]>[% step.build.id %]</a></td>
+        <td><a [% HTML.attributes(href => c.uri_for('/build' step.build.id)) %]>[% HTML.escape(step.build.id) %]</a></td>
-        <td><a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build.id 'nixlog' step.stepnr 'tail')) %]>[% step.stepnr %]</a></td>
+        <td><a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build.id 'nixlog' step.stepnr 'tail')) %]>[% HTML.escape(step.stepnr) %]</a></td>
        <td>[% INCLUDE renderRelativeDate timestamp=step.stoptime %]</td>
        <td style="width: 10em">[% INCLUDE renderDuration duration = step.stoptime - step.starttime %] </td>
        <td><tt>[% INCLUDE renderMachineName machine=step.machine %]</tt></td>
--- a/src/root/topbar.tt
+++ b/src/root/topbar.tt
@@ -1,6 +1,6 @@
 [% BLOCK makeSubMenu %]
  <li class="nav-item dropdown" [% IF id; HTML.attributes(id => id); END %] >
-    <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown">[% title %]<b class="caret"></b></a>
+    <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown">[% HTML.escape(title) %]<b class="caret"></b></a>
    <div class="dropdown-menu[% IF align == 'right' %] dropdown-menu-right[% END %]">
      [% content %]
    </div>
@@ -143,7 +143,7 @@
        <div class="dropdown-divider"></div>
      [% END %]
      [% IF c.config.github_client_id %]
-        <a class="dropdown-item" href="/github-redirect?after=[% c.req.path %]">Sign in with GitHub</a>
+        <a class="dropdown-item" href="/github-redirect?after=[% c.req.path | uri %]">Sign in with GitHub</a>
        <div class="dropdown-divider"></div>
      [% END %]
      <a class="dropdown-item" href="#hydra-signin" data-toggle="modal">Sign in with a Hydra account</a>
--- a/src/root/user.tt
+++ b/src/root/user.tt
@@ -17,7 +17,7 @@
      disabled="disabled"
    [% END %]
    [% HTML.attributes(id => "role-${role}", value => role) %] />
-  <label [% HTML.attributes(for => "role-${role}") %]> [% role %]</label><br />
+  <label [% HTML.attributes(for => "role-${role}") %]> [% HTML.escape(role) %]</label><br />
  [% END %]
 <form>
--- a/src/root/users.tt
+++ b/src/root/users.tt
@@ -17,7 +17,7 @@
        <td><a class="row-link" [% HTML.attributes(href => c.uri_for(c.controller('User').action_for('edit'), [u.username])) %]>[% HTML.escape(u.username) %]</a></td>
        <td>[% HTML.escape(u.fullname) %]</td>
        <td>[% HTML.escape(u.emailaddress) %]</td>
-        <td>[% FOREACH r IN u.userroles %]<i>[% r.role %]</i> [% END %]</td>
+        <td>[% FOREACH r IN u.userroles %]<i>[% HTML.escape(r.role) %]</i> [% END %]</td>
        <td>[% IF u.emailonerror %]Yes[% ELSE %]No[% END %]</td>
      </tr>
    [% END %]