1
0
mirror of https://github.com/golang/go synced 2024-11-22 03:14:41 -07:00

exp/template/html: don't normalize '<' in doctypes.

The normalization that prevents element name and comment injection in
  <{{.}}
by converting it to
  &lt;{{.}}
breaks
  <!DOCTYPE html>

Instead of splitting states to have a start of document state and a text
state, I whitelist <!DOCTYPE.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5131051
This commit is contained in:
Mike Samuel 2011-09-28 13:32:56 -07:00
parent 9aae6482f4
commit 582bb30466
2 changed files with 13 additions and 1 deletions

View File

@ -549,6 +549,8 @@ var delimEnds = [...]string{
delimSpaceOrTagEnd: " \t\n\f\r>",
}
var doctypeBytes = []byte("<!DOCTYPE")
// escapeText escapes a text template node.
func (e *escaper) escapeText(c context, n *parse.TextNode) context {
s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
@ -566,7 +568,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
}
}
for j := i; j < end; j++ {
if s[j] == '<' {
if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) {
b.Write(s[written:j])
b.WriteString("&lt;")
written = j + 1

View File

@ -420,6 +420,16 @@ func TestEscape(t *testing.T) {
"a<<!-- --><!-- -->b",
"a&lt;b",
},
{
"HTML doctype not normalized",
"<!DOCTYPE html>Hello, World!",
"<!DOCTYPE html>Hello, World!",
},
{
"No doctype injection",
`<!{{"DOCTYPE"}}`,
"&lt;!DOCTYPE",
},
{
"Split HTML comment",
"<b>Hello, <!-- name of {{if .T}}city -->{{.C}}{{else}}world -->{{.W}}{{end}}</b>",