From 807d057f7bda8831d970df5315e1b9954ac87dcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20R=C3=BCger?= <manuel@rueg.eu>
Date: Fri, 13 Mar 2026 09:03:39 +0100
Subject: [PATCH] stdlib: remove duplicate err check in New() and add XML
 escaping to user-controlled template values

Remove the dead second 'if err != nil' block after the already-checked
lib.Templates assignment.

Add html.EscapeString as 'xmlesc' template function and apply it to
user-controlled string parameters in ac:code, ac:status, and ac:box
templates. Values like .Title, .Color, .Language, and .Theme can contain
XML special characters (<, >, &, ") when supplied by users, which would
break Confluence storage format XML structure.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 stdlib/stdlib.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/stdlib/stdlib.go b/stdlib/stdlib.go
index fbe1327..d31d938 100644
--- a/stdlib/stdlib.go
+++ b/stdlib/stdlib.go
@@ -1,6 +1,7 @@
 package stdlib
 
 import (
+	"html"
 	"strings"
 	"text/template"
 
@@ -25,10 +26,6 @@ func New(api *confluence.API) (*Lib, error) {
 		return nil, err
 	}
 
-	if err != nil {
-		return nil, err
-	}
-
 	return &lib, nil
 }
 
@@ -67,6 +64,9 @@ func templates(api *confluence.API) (*template.Template, error) {
 					"_",
 				)
 			},
+			"xmlesc": func(s string) string {
+				return html.EscapeString(s)
+			},
 		},
 	)
 
@@ -90,20 +90,20 @@ func templates(api *confluence.API) (*template.Template, error) {
 		// This template is used for rendering code in ```
 		`ac:code`: text(
 			`<ac:structured-macro ac:name="code">`,
-			/**/ `<ac:parameter ac:name="language">{{ .Language }}</ac:parameter>`,
+			/**/ `<ac:parameter ac:name="language">{{ .Language | xmlesc }}</ac:parameter>`,
 			/**/ `<ac:parameter ac:name="collapse">{{ .Collapse }}</ac:parameter>`,
-			/**/ `{{ if .Theme }}<ac:parameter ac:name="theme">{{ .Theme }}</ac:parameter>{{ end }}`,
+			/**/ `{{ if .Theme }}<ac:parameter ac:name="theme">{{ .Theme | xmlesc }}</ac:parameter>{{ end }}`,
 			/**/ `{{ if .Linenumbers }}<ac:parameter ac:name="linenumbers">{{ .Linenumbers }}</ac:parameter>{{ end }}`,
 			/**/ `{{ if .Firstline }}<ac:parameter ac:name="firstline">{{ .Firstline }}</ac:parameter>{{ end }}`,
-			/**/ `{{ if .Title }}<ac:parameter ac:name="title">{{ .Title }}</ac:parameter>{{ end }}`,
+			/**/ `{{ if .Title }}<ac:parameter ac:name="title">{{ .Title | xmlesc }}</ac:parameter>{{ end }}`,
 			/**/ `<ac:plain-text-body><![CDATA[{{ .Text | cdata }}]]></ac:plain-text-body>`,
 			`</ac:structured-macro>`,
 		),
 
 		`ac:status`: text(
 			`<ac:structured-macro ac:name="status">`,
-			`<ac:parameter ac:name="colour">{{ or .Color "Grey" }}</ac:parameter>`,
-			`<ac:parameter ac:name="title">{{ or .Title .Color }}</ac:parameter>`,
+			`<ac:parameter ac:name="colour">{{ or .Color "Grey" | xmlesc }}</ac:parameter>`,
+			`<ac:parameter ac:name="title">{{ or .Title .Color | xmlesc }}</ac:parameter>`,
 			`<ac:parameter ac:name="subtle">{{ or .Subtle false }}</ac:parameter>`,
 			`</ac:structured-macro>`,
 		),
@@ -161,7 +161,7 @@ func templates(api *confluence.API) (*template.Template, error) {
 		`ac:box`: text(
 			`<ac:structured-macro ac:name="{{ .Name }}">`,
 			`<ac:parameter ac:name="icon">{{ or .Icon "false" }}</ac:parameter>`,
-			`{{ if .Title }}<ac:parameter ac:name="title">{{ .Title }}</ac:parameter>{{ end }}`,
+			`{{ if .Title }}<ac:parameter ac:name="title">{{ .Title | xmlesc }}</ac:parameter>{{ end }}`,
 			`<ac:rich-text-body>{{ .Body }}</ac:rich-text-body>`,
 			`</ac:structured-macro>`,
 		),