1 files changed, 33 insertions, 6 deletions

diff --git a/src/lib/template/format.go b/src/lib/template/format.go
index de38fb982..64adba588 100644
--- a/src/lib/template/format.go
+++ b/src/lib/template/format.go
@@ -12,12 +12,6 @@ import (
 	"reflect";
 )
 
-// HtmlFormatter formats arbitrary values for HTML
-// TODO: do something for real.
-func HtmlFormatter(w io.Write, value interface{}, format string) {
-	fmt.Fprint(w, value);
-}
-
 // StringFormatter formats into the default string representation.
 // It is stored under the name "str" and is the default formatter.
 // You can override the default formatter by storing your default
@@ -25,3 +19,36 @@ func HtmlFormatter(w io.Write, value interface{}, format string) {
 func StringFormatter(w io.Write, value interface{}, format string) {
 	fmt.Fprint(w, value);
 }
+
+
+var esc_amp = io.StringBytes("&")
+var esc_lt = io.StringBytes("<")
+var esc_gt = io.StringBytes(">")
+
+// HtmlEscape writes to w the properly escaped HTML equivalent
+// of the plain text data s.
+func HtmlEscape(w io.Write, s []byte) {
+	last := 0;
+	for i, c := range s {
+		if c == '&' || c == '<' || c == '>' {
+			w.Write(s[last:i]);
+			switch c {
+			case '&':
+				w.Write(esc_amp);
+			case '<':
+				w.Write(esc_lt);
+			case '>':
+				w.Write(esc_gt);
+			}
+			last = i+1;
+		}
+	}
+	w.Write(s[last:len(s)]);
+}
+
+// HtmlFormatter formats arbitrary values for HTML
+func HtmlFormatter(w io.Write, value interface{}, format string) {
+	var b io.ByteBuffer;
+	fmt.Fprint(&b, value);
+	HtmlEscape(w, b.Data());
+}