qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-12 07:40:23 -07:00
Code Releases Activity

exp/template/html: simplify URL filtering

Browse Source 
This removes a few cases from escapeAction and clarifies the
responsibilities of urlFilter which no longer does any
escaping or normalization.  It is now solely a filter.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5162043
This commit is contained in:
Mike Samuel 2011-09-29 18:09:11 -07:00
parent 357f2cb1a3
commit 530719c06f
3 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/pkg/exp/template/html/escape.go
View File

@ -171,7 +171,7 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
switch c.state { switch c.state {
case stateCSSDqStr, stateCSSSqStr: case stateCSSDqStr, stateCSSSqStr:
s = append(s, "exp_template_html_cssescaper") s = append(s, "exp_template_html_cssescaper")
case stateCSSDqURL, stateCSSSqURL, stateCSSURL: default:
s = append(s, "exp_template_html_urlnormalizer") s = append(s, "exp_template_html_urlnormalizer")
} }
case urlPartQueryOrFrag: case urlPartQueryOrFrag:

10
src/pkg/exp/template/html/escape_test.go
View File

@ -155,7 +155,7 @@ func TestEscape(t *testing.T) {
{ {
"nonHierURL", "nonHierURL",
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`, `<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
`<a href=mailto:Muhammed&#32;&#34;The&#32;Greatest&#34;&#32;Ali&#32;&lt;m.ali@example.com&gt;>`, `<a href=mailto:Muhammed%20%22The%20Greatest%22%20Ali%20%3cm.ali@example.com%3e>`,
}, },
{ {
"urlPath", "urlPath",
@ -352,9 +352,15 @@ func TestEscape(t *testing.T) {
}, },
{ {
"styleStrBadProtocolBlocked", "styleStrBadProtocolBlocked",
`<a style="background: '{{"javascript:alert(1337)"}}'">`, `<a style="background: '{{"vbscript:alert(1337)"}}'">`,
`<a style="background: '#ZgotmplZ'">`, `<a style="background: '#ZgotmplZ'">`,
}, },
{
"styleStrEncodedProtocolEncoded",
`<a style="background: '{{"javascript\\3a alert(1337)"}}'">`,
// The CSS string 'javascript\\3a alert(1337)' does not contains a colon.
`<a style="background: 'javascript\\3a alert\28 1337\29 '">`,
},
{ {
"styleURLGoodProtocolPassed", "styleURLGoodProtocolPassed",
`<a style="background: url('{{"http://oreilly.com/O'Reilly Animals(1)<2>;{}.html"}}')">`, `<a style="background: url('{{"http://oreilly.com/O'Reilly Animals(1)<2>;{}.html"}}')">`,

9
src/pkg/exp/template/html/url.go
View File

@ -10,15 +10,14 @@ import (
"strings" "strings"
) )
// urlFilter returns the HTML equivalent of its input unless it contains an // urlFilter returns its input unless it contains an unsafe protocol in which
// unsafe protocol in which case it defangs the entire URL. // case it defangs the entire URL.
func urlFilter(args ...interface{}) string { func urlFilter(args ...interface{}) string {
s, t := stringify(args...) s, t := stringify(args...)
if t == contentTypeURL { if t == contentTypeURL {
return urlProcessor(true, s) return s
} }
i := strings.IndexRune(s, ':') if i := strings.IndexRune(s, ':'); i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
if i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
protocol := strings.ToLower(s[:i]) protocol := strings.ToLower(s[:i])
if protocol != "http" && protocol != "https" && protocol != "mailto" { if protocol != "http" && protocol != "https" && protocol != "mailto" {
return "#" + filterFailsafe return "#" + filterFailsafe