From dcd1701881997eaab002aaf00fa7f5e2571902a0 Mon Sep 17 00:00:00 2001
From: Jonas Franz <info@jonasfranz.software>
Date: Sat, 10 Feb 2018 15:49:39 +0100
Subject: [PATCH 1/2] Escape search query

Signed-off-by: Jonas Franz <info@jonasfranz.de>

(cherry picked from commit 2970889)
---
 modules/templates/helper.go | 7 +++++++
 templates/repo/search.tmpl  | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 67ef1f7b4b592..7fc6d0dccb03a 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -25,6 +25,7 @@ import (
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	"gopkg.in/editorconfig/editorconfig-core-go.v1"
+	"html"
 )
 
 // NewFuncMap returns functions for injecting to templates
@@ -162,6 +163,7 @@ func NewFuncMap() []template.FuncMap {
 		"UnescapeLocale": func(str string) string {
 			return strings.NewReplacer("\\;", ";", "\\#", "#").Replace(str)
 		},
+		"Escape": Escape,
 	}}
 }
 
@@ -180,6 +182,11 @@ func Str2html(raw string) template.HTML {
 	return template.HTML(markup.Sanitize(raw))
 }
 
+// Escape escapes a HTML string
+func Escape(raw string) string {
+	return html.EscapeString(raw)
+}
+
 // List traversings the list
 func List(l *list.List) chan interface{} {
 	e := l.Front()
diff --git a/templates/repo/search.tmpl b/templates/repo/search.tmpl
index 19a9d4474c452..3ddc5de86c986 100644
--- a/templates/repo/search.tmpl
+++ b/templates/repo/search.tmpl
@@ -14,7 +14,7 @@
 		</div>
 		{{if .Keyword}}
 			<h3>
-				{{.i18n.Tr "repo.search.results" .Keyword .RepoLink .RepoName | Str2html}}
+				{{.i18n.Tr "repo.search.results" (.Keyword|Escape) .RepoLink .RepoName | Str2html }}
 			</h3>
 			<div class="repository search">
 				{{range $result := .SearchResults}}

From e3c4325b481f0060ebae65ecd6b1920b0166d60c Mon Sep 17 00:00:00 2001
From: Jonas Franz <info@jonasfranz.software>
Date: Sun, 11 Feb 2018 15:05:05 +0100
Subject: [PATCH 2/2] Reordered imports

Signed-off-by: Jonas Franz <info@jonasfranz.de>
---
 modules/templates/helper.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 7fc6d0dccb03a..db1323f3dc9b9 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -9,6 +9,7 @@ import (
 	"container/list"
 	"encoding/json"
 	"fmt"
+	"html"
 	"html/template"
 	"mime"
 	"path/filepath"
@@ -25,7 +26,6 @@ import (
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	"gopkg.in/editorconfig/editorconfig-core-go.v1"
-	"html"
 )
 
 // NewFuncMap returns functions for injecting to templates