mirror of
https://github.com/golang/go
synced 2024-11-21 20:44:39 -07:00
exp/template/html: simplify URL filtering
This removes a few cases from escapeAction and clarifies the responsibilities of urlFilter which no longer does any escaping or normalization. It is now solely a filter. R=nigeltao CC=golang-dev https://golang.org/cl/5162043
This commit is contained in:
parent
357f2cb1a3
commit
530719c06f
@ -171,7 +171,7 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
|
||||
switch c.state {
|
||||
case stateCSSDqStr, stateCSSSqStr:
|
||||
s = append(s, "exp_template_html_cssescaper")
|
||||
case stateCSSDqURL, stateCSSSqURL, stateCSSURL:
|
||||
default:
|
||||
s = append(s, "exp_template_html_urlnormalizer")
|
||||
}
|
||||
case urlPartQueryOrFrag:
|
||||
|
@ -155,7 +155,7 @@ func TestEscape(t *testing.T) {
|
||||
{
|
||||
"nonHierURL",
|
||||
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
|
||||
`<a href=mailto:Muhammed "The Greatest" Ali <m.ali@example.com>>`,
|
||||
`<a href=mailto:Muhammed%20%22The%20Greatest%22%20Ali%20%3cm.ali@example.com%3e>`,
|
||||
},
|
||||
{
|
||||
"urlPath",
|
||||
@ -352,9 +352,15 @@ func TestEscape(t *testing.T) {
|
||||
},
|
||||
{
|
||||
"styleStrBadProtocolBlocked",
|
||||
`<a style="background: '{{"javascript:alert(1337)"}}'">`,
|
||||
`<a style="background: '{{"vbscript:alert(1337)"}}'">`,
|
||||
`<a style="background: '#ZgotmplZ'">`,
|
||||
},
|
||||
{
|
||||
"styleStrEncodedProtocolEncoded",
|
||||
`<a style="background: '{{"javascript\\3a alert(1337)"}}'">`,
|
||||
// The CSS string 'javascript\\3a alert(1337)' does not contains a colon.
|
||||
`<a style="background: 'javascript\\3a alert\28 1337\29 '">`,
|
||||
},
|
||||
{
|
||||
"styleURLGoodProtocolPassed",
|
||||
`<a style="background: url('{{"http://oreilly.com/O'Reilly Animals(1)<2>;{}.html"}}')">`,
|
||||
|
@ -10,15 +10,14 @@ import (
|
||||
"strings"
|
||||
)
|
||||
|
||||
// urlFilter returns the HTML equivalent of its input unless it contains an
|
||||
// unsafe protocol in which case it defangs the entire URL.
|
||||
// urlFilter returns its input unless it contains an unsafe protocol in which
|
||||
// case it defangs the entire URL.
|
||||
func urlFilter(args ...interface{}) string {
|
||||
s, t := stringify(args...)
|
||||
if t == contentTypeURL {
|
||||
return urlProcessor(true, s)
|
||||
return s
|
||||
}
|
||||
i := strings.IndexRune(s, ':')
|
||||
if i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
|
||||
if i := strings.IndexRune(s, ':'); i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
|
||||
protocol := strings.ToLower(s[:i])
|
||||
if protocol != "http" && protocol != "https" && protocol != "mailto" {
|
||||
return "#" + filterFailsafe
|
||||
|
Loading…
Reference in New Issue
Block a user