diff options
-rw-r--r-- | src/html/template/escape.go | 5 | ||||
-rw-r--r-- | src/html/template/escape_test.go | 15 | ||||
-rw-r--r-- | src/html/template/html.go | 3 |
3 files changed, 20 insertions, 3 deletions
diff --git a/src/html/template/escape.go b/src/html/template/escape.go index 3d4cc19b5d..bcba8db4aa 100644 --- a/src/html/template/escape.go +++ b/src/html/template/escape.go @@ -380,9 +380,8 @@ func normalizeEscFn(e string) string { // for all x. var redundantFuncs = map[string]map[string]bool{ "_html_template_commentescaper": { - "_html_template_attrescaper": true, - "_html_template_nospaceescaper": true, - "_html_template_htmlescaper": true, + "_html_template_attrescaper": true, + "_html_template_htmlescaper": true, }, "_html_template_cssescaper": { "_html_template_attrescaper": true, diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go index 972b00b921..a1a6c1cd16 100644 --- a/src/html/template/escape_test.go +++ b/src/html/template/escape_test.go @@ -678,6 +678,21 @@ func TestEscape(t *testing.T) { `<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`, `<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`, }, + { + "unquoted empty attribute value (plaintext)", + "<p name={{.U}}>", + "<p name=ZgotmplZ>", + }, + { + "unquoted empty attribute value (url)", + "<p href={{.U}}>", + "<p href=ZgotmplZ>", + }, + { + "quoted empty attribute value", + "<p name=\"{{.U}}\">", + "<p name=\"\">", + }, } for _, test := range tests { diff --git a/src/html/template/html.go b/src/html/template/html.go index 46e9d93151..6fb9237bda 100644 --- a/src/html/template/html.go +++ b/src/html/template/html.go @@ -14,6 +14,9 @@ import ( // htmlNospaceEscaper escapes for inclusion in unquoted attribute values. func htmlNospaceEscaper(args ...any) string { s, t := stringify(args...) + if s == "" { + return filterFailsafe + } if t == contentTypeHTML { return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false) } |