diff --git a/server/embed_frontend.go b/server/embed_frontend.go
index f814dfd..5a23623 100644
--- a/server/embed_frontend.go
+++ b/server/embed_frontend.go
@@ -3,6 +3,7 @@ package server
import (
"embed"
"fmt"
+ "html/template"
"io/fs"
"net/http"
"strings"
@@ -142,18 +143,18 @@ Sitemap: %s/sitemap.xml`, instanceURL, instanceURL)
func generateShortcutMetadata(shortcut *storepb.Shortcut) string {
metadataList := []string{
- fmt.Sprintf(`%s`, shortcut.OgMetadata.Title),
- fmt.Sprintf(``, shortcut.OgMetadata.Description),
- fmt.Sprintf(``, shortcut.OgMetadata.Title),
- fmt.Sprintf(``, shortcut.OgMetadata.Description),
- fmt.Sprintf(``, shortcut.OgMetadata.Image),
+ fmt.Sprintf(`%s`, template.HTMLEscapeString(shortcut.OgMetadata.Title)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Description)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Title)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Description)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Image)),
``,
// Twitter related metadata.
- fmt.Sprintf(``, shortcut.OgMetadata.Title),
- fmt.Sprintf(``, shortcut.OgMetadata.Description),
- fmt.Sprintf(``, shortcut.OgMetadata.Image),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Title)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Description)),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.OgMetadata.Image)),
``,
- fmt.Sprintf(``, shortcut.Link),
+ fmt.Sprintf(``, template.HTMLEscapeString(shortcut.Link)),
}
return strings.Join(metadataList, "\n")
}