mirror of
https://github.com/golang/go
synced 2024-11-25 11:27:56 -07:00
encoding/json: escape & always
There are a few different places in the code that escape possibly-problematic characters like < > and &. This one was the only one missing &, so add it. This means that if you Marshal a string, you get the same answer you do if you Marshal a string and pass it through the compactor. (Ironically, the compaction makes the string longer.) Because html/template invokes json.Marshal to prepare escaped strings for JavaScript, this changes the form of some of the escaped strings, but not their meaning. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/12708044
This commit is contained in:
parent
36f223dace
commit
080e00d55d
@ -734,7 +734,7 @@ func (e *encodeState) string(s string) (int, error) {
|
||||
start := 0
|
||||
for i := 0; i < len(s); {
|
||||
if b := s[i]; b < utf8.RuneSelf {
|
||||
if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' {
|
||||
if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
|
||||
i++
|
||||
continue
|
||||
}
|
||||
|
@ -123,29 +123,29 @@ func TestTypedContent(t *testing.T) {
|
||||
{
|
||||
`<script>alert({{.}})</script>`,
|
||||
[]string{
|
||||
`"\u003cb\u003e \"foo%\" O'Reilly &bar;"`,
|
||||
`"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`,
|
||||
`"a[href =~ \"//example.com\"]#foo"`,
|
||||
`"Hello, \u003cb\u003eWorld\u003c/b\u003e &tc!"`,
|
||||
`"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`,
|
||||
`" dir=\"ltr\""`,
|
||||
// Not escaped.
|
||||
`c && alert("Hello, World!");`,
|
||||
// Escape sequence not over-escaped.
|
||||
`"Hello, World & O'Reilly\x21"`,
|
||||
`"greeting=H%69&addressee=(World)"`,
|
||||
`"greeting=H%69\u0026addressee=(World)"`,
|
||||
},
|
||||
},
|
||||
{
|
||||
`<button onclick="alert({{.}})">`,
|
||||
[]string{
|
||||
`"\u003cb\u003e \"foo%\" O'Reilly &bar;"`,
|
||||
`"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`,
|
||||
`"a[href =~ \"//example.com\"]#foo"`,
|
||||
`"Hello, \u003cb\u003eWorld\u003c/b\u003e &amp;tc!"`,
|
||||
`"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`,
|
||||
`" dir=\"ltr\""`,
|
||||
// Not JS escaped but HTML escaped.
|
||||
`c && alert("Hello, World!");`,
|
||||
// Escape sequence not over-escaped.
|
||||
`"Hello, World & O'Reilly\x21"`,
|
||||
`"greeting=H%69&addressee=(World)"`,
|
||||
`"greeting=H%69\u0026addressee=(World)"`,
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -538,7 +538,7 @@ func TestEscape(t *testing.T) {
|
||||
{
|
||||
"typed HTML in script",
|
||||
`<button onclick="alert({{.W}})">`,
|
||||
`<button onclick="alert("&iexcl;\u003cb class=\"foo\"\u003eHello\u003c/b\u003e, \u003ctextarea\u003eO'World\u003c/textarea\u003e!")">`,
|
||||
`<button onclick="alert("\u0026iexcl;\u003cb class=\"foo\"\u003eHello\u003c/b\u003e, \u003ctextarea\u003eO'World\u003c/textarea\u003e!")">`,
|
||||
},
|
||||
{
|
||||
"typed HTML in RCDATA",
|
||||
|
Loading…
Reference in New Issue
Block a user