mirror of
https://github.com/golang/go
synced 2024-11-25 07:17:56 -07:00
exp/template/html: recognize whitespace at start of URLs.
HTML5 uses "Valid URL potentially surrounded by spaces" for attrs: http://www.w3.org/TR/html5/index.html#attributes-1 <a href=" {{.}}"> should be escaped to filter out "javascript:..." as data. R=nigeltao CC=golang-dev https://golang.org/cl/5027045
This commit is contained in:
parent
605e57d8fe
commit
e213a0c0fc
@ -120,6 +120,11 @@ func TestEscape(t *testing.T) {
|
|||||||
`<a href='{{"javascript:alert(%22pwned%22)"}}'>`,
|
`<a href='{{"javascript:alert(%22pwned%22)"}}'>`,
|
||||||
`<a href='#ZgotmplZ'>`,
|
`<a href='#ZgotmplZ'>`,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"dangerousURLStart2",
|
||||||
|
`<a href=' {{"javascript:alert(%22pwned%22)"}}'>`,
|
||||||
|
`<a href=' #ZgotmplZ'>`,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"nonHierURL",
|
"nonHierURL",
|
||||||
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
|
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
|
||||||
|
@ -169,7 +169,9 @@ func tAttr(c context, s []byte) (context, []byte) {
|
|||||||
func tURL(c context, s []byte) (context, []byte) {
|
func tURL(c context, s []byte) (context, []byte) {
|
||||||
if bytes.IndexAny(s, "#?") >= 0 {
|
if bytes.IndexAny(s, "#?") >= 0 {
|
||||||
c.urlPart = urlPartQueryOrFrag
|
c.urlPart = urlPartQueryOrFrag
|
||||||
} else if len(s) != 0 && c.urlPart == urlPartNone {
|
} else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone {
|
||||||
|
// HTML5 uses "Valid URL potentially surrounded by spaces" for
|
||||||
|
// attrs: http://www.w3.org/TR/html5/index.html#attributes-1
|
||||||
c.urlPart = urlPartPreQuery
|
c.urlPart = urlPartPreQuery
|
||||||
}
|
}
|
||||||
return c, nil
|
return c, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user