From a06f380b67a2f0d92dea08afe7843609e1497ee1 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Fri, 10 Apr 2026 15:33:57 +0100
Subject: [PATCH 1/3] fix: label-for on form elements

---
 src/render.rs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/render.rs b/src/render.rs
index 6585d3a..da98837 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -23,7 +23,7 @@ pub fn render_page(template: &str, config: &Config, entries: &[Entry], form_html
 pub fn render_form(config: &Config) -> String {
     let website_section = if config.enable_website_links {
         format!(
-            "\n<label class=\"guestbook-label\">{}</label>\n<input class=\"guestbook-input\" name=\"website\">\n",
+            "\n<label class=\"guestbook-label\" for=\"website\">{}</label>\n<input class=\"guestbook-input\" id=\"website\" name=\"website\">\n",
             config.label_website
         )
     } else {
@@ -32,7 +32,7 @@ pub fn render_form(config: &Config) -> String {
 
     let captcha_section = if config.enable_captcha {
         format!(
-            "\n<label class=\"guestbook-label\">{}</label>\n<input class=\"guestbook-input\" name=\"captcha\" required>\n",
+            "\n<label class=\"guestbook-label\" for=\"captcha\">{}</label>\n<input class=\"guestbook-input\" id=\"captcha\" name=\"captcha\" required>\n",
             config.captcha_question
         )
     } else {
@@ -176,11 +176,11 @@ pub fn render_form(config: &Config) -> String {
     format!(
         r#"<span class="guestbook-prompt">{prompt}</span>
 <form class="guestbook-form" method="post" action="/submit" accept-charset="UTF-8">
-<label class="guestbook-label">{label_name}</label>
-<input class="guestbook-input" name="name" required>
+<label class="guestbook-label" for="name">{label_name}</label>
+<input class="guestbook-input" id="name" name="name" required>
 {website_section}
-<label class="guestbook-label">{label_message}</label>
-<textarea class="guestbook-textarea" name="message" style="width:{tw}px;height:{th}px" required></textarea>
+<label class="guestbook-label" for="message">{label_message}</label>
+<textarea class="guestbook-textarea" id="message" name="message" style="width:{tw}px;height:{th}px" required></textarea>
 {captcha_section}
 {drawing_section}{voice_note_section}<input name="url" style="display:none" tabindex="-1" autocomplete="off"><button class="guestbook-button" type="submit">{button}</button>
 </form>"#,

From a1ddbba66050f9d94eb4d9d5544d1160dfef8233 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Fri, 10 Apr 2026 15:34:23 +0100
Subject: [PATCH 2/3] fix: alt-text on submitted drawings

---
 src/render.rs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/render.rs b/src/render.rs
index da98837..cb02a18 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -280,8 +280,9 @@ fn render_entry(entry: &Entry, config: &Config) -> String {
     };
     let drawing_html = if !entry.meta.drawing.is_empty() {
         format!(
-            "<img class=\"entry-drawing\" src=\"/drawings/{}\">",
-            escape_html(&entry.meta.drawing)
+            "<img class=\"entry-drawing\" src=\"/drawings/{}\" alt=\"Drawing by {}\">",
+            escape_html(&entry.meta.drawing),
+            escape_html(&entry.meta.name)
         )
     } else {
         String::new()
@@ -545,7 +546,7 @@ mod tests {
         entry.meta.drawing = "2026-04-09-abc123.png".into();
         let form = render_form(&config);
         let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form);
-        assert!(html.contains(r#"<img class="entry-drawing" src="/drawings/2026-04-09-abc123.png">"#));
+        assert!(html.contains(r#"<img class="entry-drawing" src="/drawings/2026-04-09-abc123.png" alt="Drawing by alice">"#));
     }
 
     #[test]
@@ -557,7 +558,7 @@ mod tests {
         let form = render_form(&config);
         let html = render_page(DEFAULT_TEMPLATE, &config, &[entry], &form);
         // Drawing renders regardless
-        assert!(html.contains(r#"<img class="entry-drawing" src="/drawings/2026-04-09-abc123.png">"#));
+        assert!(html.contains(r#"<img class="entry-drawing" src="/drawings/2026-04-09-abc123.png" alt="Drawing by alice">"#));
         // But body HTML is escaped
         assert!(html.contains("&lt;script&gt;"));
     }

From a33be3be6c20430d20f8e26e974c4db2960fe2b6 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Fri, 10 Apr 2026 15:34:32 +0100
Subject: [PATCH 3/3] fix: error text is escaped

---
 src/render.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/render.rs b/src/render.rs
index cb02a18..2e018ab 100644
--- a/src/render.rs
+++ b/src/render.rs
@@ -216,6 +216,7 @@ pub fn render_error_page(config: &Config, error: &str) -> String {
     } else {
         &config.style
     };
+    let error = escape_html(error);
     format!(
         r#"<!DOCTYPE html>
 <html lang="en">