From 5aa7504bb2269d913783dd213a7bdcf45d910d2a Mon Sep 17 00:00:00 2001
From: houseme <housemecn@gmail.com>
Date: Sun, 1 Dec 2024 23:43:44 +0800
Subject: [PATCH] fix(util/gpage): code scanning alert no. 9: Potentially
 unsafe quoting (#3992)

---
 .github/workflows/golangci-lint.yml | 17 ++++-------------
 util/gpage/gpage.go                 |  5 +++--
 2 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 42f1cc6eb..0aa08c049 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,17 +1,8 @@
-# Tencent is pleased to support the open source community by making Polaris available.
+# Copyright GoFrame Author(https://goframe.org). All Rights Reserved.
 #
-# Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
-#
-# Licensed under the BSD 3-Clause License (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# https://opensource.org/licenses/BSD-3-Clause
-#
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# This Source Code Form is subject to the terms of the MIT License.
+# If a copy of the MIT was not distributed with this file,
+# You can obtain one at https://github.com/gogf/gf.
 
 name: GolangCI-Lint
 on:
diff --git a/util/gpage/gpage.go b/util/gpage/gpage.go
index 1570ff1e2..afdb3e650 100644
--- a/util/gpage/gpage.go
+++ b/util/gpage/gpage.go
@@ -9,6 +9,7 @@ package gpage
 
 import (
 	"fmt"
+	"html"
 	"math"
 
 	"github.com/gogf/gf/v2/text/gstr"
@@ -215,12 +216,12 @@ func (p *Page) GetLink(page int, text, title string) string {
 	if len(p.AjaxActionName) > 0 {
 		return fmt.Sprintf(
 			`<a class="%s" href="javascript:%s('%s')" title="%s">%s</a>`,
-			p.LinkStyle, p.AjaxActionName, p.GetUrl(page), title, text,
+			p.LinkStyle, p.AjaxActionName, p.GetUrl(page), html.EscapeString(title), text,
 		)
 	} else {
 		return fmt.Sprintf(
 			`<a class="%s" href="%s" title="%s">%s</a>`,
-			p.LinkStyle, p.GetUrl(page), title, text,
+			p.LinkStyle, p.GetUrl(page), html.EscapeString(title), text,
 		)
 	}
 }