mirror of
https://github.com/golang/go
synced 2024-11-22 03:14:41 -07:00
exp/template/html: don't normalize '<' in doctypes.
The normalization that prevents element name and comment injection in <{{.}} by converting it to <{{.}} breaks <!DOCTYPE html> Instead of splitting states to have a start of document state and a text state, I whitelist <!DOCTYPE. R=nigeltao CC=golang-dev https://golang.org/cl/5131051
This commit is contained in:
parent
9aae6482f4
commit
582bb30466
@ -549,6 +549,8 @@ var delimEnds = [...]string{
|
||||
delimSpaceOrTagEnd: " \t\n\f\r>",
|
||||
}
|
||||
|
||||
var doctypeBytes = []byte("<!DOCTYPE")
|
||||
|
||||
// escapeText escapes a text template node.
|
||||
func (e *escaper) escapeText(c context, n *parse.TextNode) context {
|
||||
s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
|
||||
@ -566,7 +568,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
|
||||
}
|
||||
}
|
||||
for j := i; j < end; j++ {
|
||||
if s[j] == '<' {
|
||||
if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) {
|
||||
b.Write(s[written:j])
|
||||
b.WriteString("<")
|
||||
written = j + 1
|
||||
|
@ -420,6 +420,16 @@ func TestEscape(t *testing.T) {
|
||||
"a<<!-- --><!-- -->b",
|
||||
"a<b",
|
||||
},
|
||||
{
|
||||
"HTML doctype not normalized",
|
||||
"<!DOCTYPE html>Hello, World!",
|
||||
"<!DOCTYPE html>Hello, World!",
|
||||
},
|
||||
{
|
||||
"No doctype injection",
|
||||
`<!{{"DOCTYPE"}}`,
|
||||
"<!DOCTYPE",
|
||||
},
|
||||
{
|
||||
"Split HTML comment",
|
||||
"<b>Hello, <!-- name of {{if .T}}city -->{{.C}}{{else}}world -->{{.W}}{{end}}</b>",
|
||||
|
Loading…
Reference in New Issue
Block a user