1
0
mirror of https://github.com/golang/go synced 2024-11-21 21:54:40 -07:00

exp/template/html: recognize whitespace at start of URLs.

HTML5 uses "Valid URL potentially surrounded by spaces" for
attrs: http://www.w3.org/TR/html5/index.html#attributes-1

    <a href=" {{.}}">

should be escaped to filter out "javascript:..." as data.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5027045
This commit is contained in:
Mike Samuel 2011-09-18 11:55:14 -07:00
parent 605e57d8fe
commit e213a0c0fc
2 changed files with 8 additions and 1 deletions

View File

@ -120,6 +120,11 @@ func TestEscape(t *testing.T) {
`<a href='{{"javascript:alert(%22pwned%22)"}}'>`,
`<a href='#ZgotmplZ'>`,
},
{
"dangerousURLStart2",
`<a href=' {{"javascript:alert(%22pwned%22)"}}'>`,
`<a href=' #ZgotmplZ'>`,
},
{
"nonHierURL",
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,

View File

@ -169,7 +169,9 @@ func tAttr(c context, s []byte) (context, []byte) {
func tURL(c context, s []byte) (context, []byte) {
if bytes.IndexAny(s, "#?") >= 0 {
c.urlPart = urlPartQueryOrFrag
} else if len(s) != 0 && c.urlPart == urlPartNone {
} else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone {
// HTML5 uses "Valid URL potentially surrounded by spaces" for
// attrs: http://www.w3.org/TR/html5/index.html#attributes-1
c.urlPart = urlPartPreQuery
}
return c, nil