add " and ' to list of html-escaped chars

R=rsc
http://go/go-review/1017025

1 files changed, 24 insertions, 15 deletions

diff --git a/src/pkg/template/format.go b/src/pkg/template/format.go
index bbdfcb4bb..bcffc66ac 100644
--- a/src/pkg/template/format.go
+++ b/src/pkg/template/format.go
@@ -21,28 +21,37 @@ func StringFormatter(w io.Writer, value interface{}, format string) {
 	fmt.Fprint(w, value);
 }
 
-
-var esc_amp = strings.Bytes("&")
-var esc_lt = strings.Bytes("<")
-var esc_gt = strings.Bytes(">")
+var (
+	esc_quot = strings.Bytes(""");  // shorter than """
+	esc_apos = strings.Bytes("'");  // shorter than "'"
+	esc_amp = strings.Bytes("&");
+	esc_lt = strings.Bytes("<");
+	esc_gt = strings.Bytes(">");
+)
 
 // HtmlEscape writes to w the properly escaped HTML equivalent
 // of the plain text data s.
 func HtmlEscape(w io.Writer, s []byte) {
+	var esc []byte;
 	last := 0;
 	for i, c := range s {
-		if c == '&' || c == '<' || c == '>' {
-			w.Write(s[last:i]);
-			switch c {
-			case '&':
-				w.Write(esc_amp);
-			case '<':
-				w.Write(esc_lt);
-			case '>':
-				w.Write(esc_gt);
-			}
-			last = i+1;
+		switch c {
+		case '"':
+			esc = esc_quot;
+		case '\'':
+			esc = esc_apos;
+		case '&':
+			esc = esc_amp;
+		case '<':
+			esc = esc_lt;
+		case '>':
+			esc = esc_gt;
+		default:
+			continue;
 		}
+		w.Write(s[last:i]);
+		w.Write(esc);
+		last = i+1;
 	}
 	w.Write(s[last:len(s)]);
 }