qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-18 14:04:45 -07:00
Code Releases Activity
3a2fee0389
go/src
History
Samuel Tan 3a2fee0389 html/template: allow safe usage of predefined escapers in pipelines 
Allow the predefined escapers "html", "urlquery", and "js" to be used
in pipelines when they have no potential to affect the correctness or
safety of the escaped pipeline output. Specifically:
- "urlquery" may be used if it is the last command in the pipeline.
- "html" may be used if it is the last command in the pipeline, and
  the pipeline does not occur in an unquoted HTML attribute value
  context.
- "js" may be used in any pipeline, since it does not affect the
  merging of contextual escapers.

This change will loosens the restrictions on predefined escapers
introduced in golang.org/cl/37880, which will hopefully ease the
upgrade path for existing template users.

This change brings back the escaper-merging logic, and associated
unit tests, that were removed in golang.org/cl/37880. However, a
few notable changes have been made:
- "_html_template_nospaceescaper" is no longer considered
  equivalent to "html", since the former escapes spaces, while
  the latter does not (see #19345). This change should not silently
  break any templates, since pipelines where this substituion will
  happen will already trigger an explicit error.
- An "_eval_args_" internal directive has been added to
  handle pipelines containing a single explicit call to a
  predefined escaper, e.g. {{html .X}} (see #19353).

Also, the HTMLEscape function called by the predefined
text/template "html" function now escapes the NULL character as
well. This effectively makes it as secure as the internal
html/template HTML escapers (see #19345). While this change is
backward-incompatible, it will only affect illegitimate uses
of this escaper, since the NULL character is always illegal in
valid HTML.

Fixes #19952

Change-Id: I9b5570a80a3ea284b53901e6a1f842fc59b33d3a
Reviewed-on: https://go-review.googlesource.com/40936
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-05-05 18:56:31 +00:00
..
archive archive/zip: replace RWMutex with sync.Map 2017-04-29 17:21:43 +00:00
bufio
builtin
bytes bytes: clarify documentation for UnreadByte/Rune 2017-04-28 16:37:13 +00:00
cmd cmd/link: stop passing unused read_only_relocs 2017-05-05 11:35:58 +00:00
compress compress/lzw: fix hi code overflow. 2017-04-28 05:59:30 +00:00
container
context context: define behavior for Err before Done is closed 2017-04-26 15:39:18 +00:00
crypto crypto: revise wording about cryptographically broken algorithms 2017-05-04 12:31:18 +00:00
database/sql database/sql: ensure releaseConn is defined before a possible close 2017-04-28 22:55:26 +00:00
debug cmd/internal/obj: fix LSym.Type during compilation, not linking 2017-05-02 00:21:33 +00:00
encoding encoding/gob: use MakeMapWithSize when decoding map 2017-05-03 02:43:40 +00:00
errors
expvar expvar: reduce sync.Map overhead for (*Map).Set 2017-05-02 17:13:40 +00:00
flag
fmt
go go/constant: avoid generating rats for large negative exponents 2017-05-04 21:55:36 +00:00
hash
html html/template: allow safe usage of predefined escapers in pipelines 2017-05-05 18:56:31 +00:00
image image/jpeg: fix extended sequential Huffman table selector (Th). 2017-04-27 03:48:40 +00:00
index/suffixarray
internal os, net, internal/poll: return consistent error for closed socket 2017-04-26 00:03:14 +00:00
io io: correctly compute call depth in test 2017-04-18 19:56:54 +00:00
log
math math/big: improve performance for addVV/subVV for ppc64x 2017-04-25 13:15:39 +00:00
mime mime: re-accept empty encoded-text 2017-04-29 04:14:36 +00:00
net all: use time.Time.Equal instead of == in some tests 2017-05-04 15:17:13 +00:00
os os: skip TestNetworkSymbolicLink if Server service is not started 2017-04-30 07:04:30 +00:00
path os: do not report ModeDir for symlinks on windows 2017-04-26 23:17:23 +00:00
plugin plugin: resolve plugin import path issue 2017-04-26 00:54:54 +00:00
reflect reflect: use sync.Map instead of RWMutex for type caches 2017-04-27 15:34:41 +00:00
regexp regexp: speed up QuoteMeta with a lookup table 2017-04-28 06:43:14 +00:00
runtime runtime: clean redundant call of environ function 2017-05-03 10:02:26 +00:00
sort
strconv
strings
sync sync: really test DeepCopyMap 2017-04-30 14:17:36 +00:00
syscall syscall: fix typo in documentation for StringToUTF16Ptr 2017-04-28 05:28:27 +00:00
testing testing: add argument to list tests, benchmarks, and examples 2017-04-26 15:53:32 +00:00
text html/template: allow safe usage of predefined escapers in pipelines 2017-05-05 18:56:31 +00:00
time all: remove some unused parameters in test code 2017-04-25 14:38:10 +00:00
unicode
unsafe
vendor/golang_org/x vendor/golang_org/x/crypto/chacha20poly1305: revendor 2017-05-03 13:47:50 +00:00
all.bash Revert "build: fail nicely if somebody runs all.bash from a binary tarball package" 2017-04-28 21:19:32 +00:00
all.bat
all.rc
androidtest.bash
bootstrap.bash
buildall.bash
clean.bash
clean.bat build: fix clean scripts 2015-06-18 16:13:13 +00:00
clean.rc build: fix clean scripts 2015-06-18 16:13:13 +00:00
cmp.bash
iostest.bash
make.bash
make.bat
Make.dist
make.rc
naclmake.bash
nacltest.bash
race.bash
race.bat cmd/dist: make test default to --no-rebuild 2015-12-29 15:20:00 +00:00
run.bash
run.bat
run.rc