summaryrefslogtreecommitdiff
path: root/libgo/go/html/template/escape.go
diff options
context:
space:
mode:
Diffstat (limited to 'libgo/go/html/template/escape.go')
-rw-r--r--libgo/go/html/template/escape.go110
1 files changed, 60 insertions, 50 deletions
diff --git a/libgo/go/html/template/escape.go b/libgo/go/html/template/escape.go
index 3c18340547..0e7d2be143 100644
--- a/libgo/go/html/template/escape.go
+++ b/libgo/go/html/template/escape.go
@@ -15,8 +15,8 @@ import (
// escapeTemplate rewrites the named template, which must be
// associated with t, to guarantee that the output of any of the named
-// templates is properly escaped. If no error is returned, then the named templates have
-// been modified. Otherwise the named templates have been rendered
+// templates is properly escaped. If no error is returned, then the named templates have
+// been modified. Otherwise the named templates have been rendered
// unusable.
func escapeTemplate(tmpl *Template, node parse.Node, name string) error {
e := newEscaper(tmpl)
@@ -46,30 +46,30 @@ func escapeTemplate(tmpl *Template, node parse.Node, name string) error {
// funcMap maps command names to functions that render their inputs safe.
var funcMap = template.FuncMap{
- "html_template_attrescaper": attrEscaper,
- "html_template_commentescaper": commentEscaper,
- "html_template_cssescaper": cssEscaper,
- "html_template_cssvaluefilter": cssValueFilter,
- "html_template_htmlnamefilter": htmlNameFilter,
- "html_template_htmlescaper": htmlEscaper,
- "html_template_jsregexpescaper": jsRegexpEscaper,
- "html_template_jsstrescaper": jsStrEscaper,
- "html_template_jsvalescaper": jsValEscaper,
- "html_template_nospaceescaper": htmlNospaceEscaper,
- "html_template_rcdataescaper": rcdataEscaper,
- "html_template_urlescaper": urlEscaper,
- "html_template_urlfilter": urlFilter,
- "html_template_urlnormalizer": urlNormalizer,
+ "_html_template_attrescaper": attrEscaper,
+ "_html_template_commentescaper": commentEscaper,
+ "_html_template_cssescaper": cssEscaper,
+ "_html_template_cssvaluefilter": cssValueFilter,
+ "_html_template_htmlnamefilter": htmlNameFilter,
+ "_html_template_htmlescaper": htmlEscaper,
+ "_html_template_jsregexpescaper": jsRegexpEscaper,
+ "_html_template_jsstrescaper": jsStrEscaper,
+ "_html_template_jsvalescaper": jsValEscaper,
+ "_html_template_nospaceescaper": htmlNospaceEscaper,
+ "_html_template_rcdataescaper": rcdataEscaper,
+ "_html_template_urlescaper": urlEscaper,
+ "_html_template_urlfilter": urlFilter,
+ "_html_template_urlnormalizer": urlNormalizer,
}
// equivEscapers matches contextual escapers to equivalent template builtins.
var equivEscapers = map[string]string{
- "html_template_attrescaper": "html",
- "html_template_htmlescaper": "html",
- "html_template_nospaceescaper": "html",
- "html_template_rcdataescaper": "html",
- "html_template_urlescaper": "urlquery",
- "html_template_urlnormalizer": "urlquery",
+ "_html_template_attrescaper": "html",
+ "_html_template_htmlescaper": "html",
+ "_html_template_nospaceescaper": "html",
+ "_html_template_rcdataescaper": "html",
+ "_html_template_urlescaper": "urlquery",
+ "_html_template_urlnormalizer": "urlquery",
}
// escaper collects type inferences about templates and changes needed to make
@@ -147,47 +147,47 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
case stateURL, stateCSSDqStr, stateCSSSqStr, stateCSSDqURL, stateCSSSqURL, stateCSSURL:
switch c.urlPart {
case urlPartNone:
- s = append(s, "html_template_urlfilter")
+ s = append(s, "_html_template_urlfilter")
fallthrough
case urlPartPreQuery:
switch c.state {
case stateCSSDqStr, stateCSSSqStr:
- s = append(s, "html_template_cssescaper")
+ s = append(s, "_html_template_cssescaper")
default:
- s = append(s, "html_template_urlnormalizer")
+ s = append(s, "_html_template_urlnormalizer")
}
case urlPartQueryOrFrag:
- s = append(s, "html_template_urlescaper")
+ s = append(s, "_html_template_urlescaper")
case urlPartUnknown:
return context{
state: stateError,
- err: errorf(ErrAmbigContext, n, n.Line, "%s appears in an ambiguous URL context", n),
+ err: errorf(ErrAmbigContext, n, n.Line, "%s appears in an ambiguous context within a URL", n),
}
default:
panic(c.urlPart.String())
}
case stateJS:
- s = append(s, "html_template_jsvalescaper")
+ s = append(s, "_html_template_jsvalescaper")
// A slash after a value starts a div operator.
c.jsCtx = jsCtxDivOp
case stateJSDqStr, stateJSSqStr:
- s = append(s, "html_template_jsstrescaper")
+ s = append(s, "_html_template_jsstrescaper")
case stateJSRegexp:
- s = append(s, "html_template_jsregexpescaper")
+ s = append(s, "_html_template_jsregexpescaper")
case stateCSS:
- s = append(s, "html_template_cssvaluefilter")
+ s = append(s, "_html_template_cssvaluefilter")
case stateText:
- s = append(s, "html_template_htmlescaper")
+ s = append(s, "_html_template_htmlescaper")
case stateRCDATA:
- s = append(s, "html_template_rcdataescaper")
+ s = append(s, "_html_template_rcdataescaper")
case stateAttr:
// Handled below in delim check.
case stateAttrName, stateTag:
c.state = stateAttrName
- s = append(s, "html_template_htmlnamefilter")
+ s = append(s, "_html_template_htmlnamefilter")
default:
if isComment(c.state) {
- s = append(s, "html_template_commentescaper")
+ s = append(s, "_html_template_commentescaper")
} else {
panic("unexpected state " + c.state.String())
}
@@ -196,9 +196,9 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
case delimNone:
// No extra-escaping needed for raw text content.
case delimSpaceOrTagEnd:
- s = append(s, "html_template_nospaceescaper")
+ s = append(s, "_html_template_nospaceescaper")
default:
- s = append(s, "html_template_attrescaper")
+ s = append(s, "_html_template_attrescaper")
}
e.editActionNode(n, s)
return c
@@ -276,22 +276,22 @@ func ensurePipelineContains(p *parse.PipeNode, s []string) {
// redundantFuncs[a][b] implies that funcMap[b](funcMap[a](x)) == funcMap[a](x)
// for all x.
var redundantFuncs = map[string]map[string]bool{
- "html_template_commentescaper": {
- "html_template_attrescaper": true,
- "html_template_nospaceescaper": true,
- "html_template_htmlescaper": true,
+ "_html_template_commentescaper": {
+ "_html_template_attrescaper": true,
+ "_html_template_nospaceescaper": true,
+ "_html_template_htmlescaper": true,
},
- "html_template_cssescaper": {
- "html_template_attrescaper": true,
+ "_html_template_cssescaper": {
+ "_html_template_attrescaper": true,
},
- "html_template_jsregexpescaper": {
- "html_template_attrescaper": true,
+ "_html_template_jsregexpescaper": {
+ "_html_template_attrescaper": true,
},
- "html_template_jsstrescaper": {
- "html_template_attrescaper": true,
+ "_html_template_jsstrescaper": {
+ "_html_template_attrescaper": true,
},
- "html_template_urlescaper": {
- "html_template_urlnormalizer": true,
+ "_html_template_urlescaper": {
+ "_html_template_urlnormalizer": true,
},
}
@@ -673,6 +673,8 @@ func contextAfterText(c context, s []byte) (context, int) {
return transitionFunc[c.state](c, s[:i])
}
+ // We are at the beginning of an attribute value.
+
i := bytes.IndexAny(s, delimEnds[c.delim])
if i == -1 {
i = len(s)
@@ -703,13 +705,21 @@ func contextAfterText(c context, s []byte) (context, int) {
}
return c, len(s)
}
+
+ element := c.element
+
+ // If this is a non-JS "type" attribute inside "script" tag, do not treat the contents as JS.
+ if c.state == stateAttr && c.element == elementScript && c.attr == attrScriptType && !isJSType(string(s[:i])) {
+ element = elementNone
+ }
+
if c.delim != delimSpaceOrTagEnd {
// Consume any quote.
i++
}
// On exiting an attribute, we discard all state information
// except the state and element.
- return context{state: stateTag, element: c.element}, i
+ return context{state: stateTag, element: element}, i
}
// editActionNode records a change to an action pipeline for later commit.
View Lorry Controller Status