mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-15 20:40:55 +09:00
f3eb9a7bba
elem-go does not escape attribute values, so the raw query reaches the rendered HTML verbatim. Pre-escape with html.EscapeString to prevent reflected XSS. Updates #3157