templates: Hopefully escape all template inputs

2025-08-02 18:20:35 +02:00
parent b94f47ed27
commit c6424f37a6
24 changed files with 116 additions and 116 deletions
--- a/src/root/user.tt
+++ b/src/root/user.tt
@@ -17,7 +17,7 @@
      disabled="disabled"
    [% END %]
    [% HTML.attributes(id => "role-${role}", value => role) %] />
-  <label [% HTML.attributes(for => "role-${role}") %]> [% role %]</label><br />
+  <label [% HTML.attributes(for => "role-${role}") %]> [% HTML.escape(role) %]</label><br />
  [% END %]

 <form>