From e213a0c0fcd51f43d38b9423561989ed0b9e616c Mon Sep 17 00:00:00 2001
From: Mike Samuel <mikesamuel@gmail.com>
Date: Sun, 18 Sep 2011 11:55:14 -0700
Subject: [PATCH] exp/template/html: recognize whitespace at start of URLs.

HTML5 uses "Valid URL potentially surrounded by spaces" for
attrs: http://www.w3.org/TR/html5/index.html#attributes-1

    <a href=" {{.}}">

should be escaped to filter out "javascript:..." as data.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5027045
---
 src/pkg/exp/template/html/escape_test.go | 5 +++++
 src/pkg/exp/template/html/transition.go  | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/pkg/exp/template/html/escape_test.go b/src/pkg/exp/template/html/escape_test.go
index 852104bf6c2..b57a202f8fc 100644
--- a/src/pkg/exp/template/html/escape_test.go
+++ b/src/pkg/exp/template/html/escape_test.go
@@ -120,6 +120,11 @@ func TestEscape(t *testing.T) {
 			`<a href='{{"javascript:alert(%22pwned%22)"}}'>`,
 			`<a href='#ZgotmplZ'>`,
 		},
+		{
+			"dangerousURLStart2",
+			`<a href='  {{"javascript:alert(%22pwned%22)"}}'>`,
+			`<a href='  #ZgotmplZ'>`,
+		},
 		{
 			"nonHierURL",
 			`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
diff --git a/src/pkg/exp/template/html/transition.go b/src/pkg/exp/template/html/transition.go
index 2449a501108..450dda43c42 100644
--- a/src/pkg/exp/template/html/transition.go
+++ b/src/pkg/exp/template/html/transition.go
@@ -169,7 +169,9 @@ func tAttr(c context, s []byte) (context, []byte) {
 func tURL(c context, s []byte) (context, []byte) {
 	if bytes.IndexAny(s, "#?") >= 0 {
 		c.urlPart = urlPartQueryOrFrag
-	} else if len(s) != 0 && c.urlPart == urlPartNone {
+	} else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone {
+		// HTML5 uses "Valid URL potentially surrounded by spaces" for
+		// attrs: http://www.w3.org/TR/html5/index.html#attributes-1
 		c.urlPart = urlPartPreQuery
 	}
 	return c, nil