qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-18 10:34:51 -07:00
Code Releases Activity
94e9a5e19b
go/src/html/template
History
Roberto Clapis 94e9a5e19b text/template: harden JSEscape to also escape ampersand and equal 
Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.

This change makes it harder to introduce XSS by misusing
escaping.

Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.

Fixes #35665

Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
2019-11-21 22:20:17 +00:00
..
attr_string.go all: add more uses of stringer 2018-02-19 21:33:14 +00:00
attr.go all: update comment URLs from HTTP to HTTPS, where possible 2018-06-01 21:52:00 +00:00
clone_test.go text/template: copy Decl field when copying PipeNode 2018-04-10 14:26:58 +00:00
content_test.go html/template: ignore untyped nil arguments to default escapers 2018-07-09 21:54:35 +00:00
content.go html/template: ignore untyped nil arguments to default escapers 2018-07-09 21:54:35 +00:00
context.go html/template: handle nil Error values in context.String 2019-06-17 19:12:05 +00:00
css_test.go
css.go html/template: use strings.Builder 2019-02-26 20:12:09 +00:00
delim_string.go html/template: make more use of stringer 2018-02-20 15:44:01 +00:00
doc.go html/template: document handling of namespaced and data- attributes 2019-09-27 17:59:33 +00:00
element_string.go html/template: make more use of stringer 2018-02-20 15:44:01 +00:00
error.go
escape_test.go html/template: prevent test from failing with nil pointer dereference 2019-03-02 01:53:40 +00:00
escape.go text/template/parse: undo breaking API changes 2018-06-22 08:05:11 +00:00
example_test.go text/template: harden JSEscape to also escape ampersand and equal 2019-11-21 22:20:17 +00:00
examplefiles_test.go
html_test.go
html.go html/template: use strings.Builder 2019-02-26 20:12:09 +00:00
js_test.go html/template: add support for JavaScript modules 2019-05-06 17:06:16 +00:00
js.go html/template: micro optimization for isJSType 2019-08-27 17:41:33 +00:00
jsctx_string.go html/template: make more use of stringer 2018-02-20 15:44:01 +00:00
state_string.go html/template: make more use of stringer 2018-02-20 15:44:01 +00:00
template_test.go text/template: accept new number syntax 2019-02-26 05:18:38 +00:00
template.go html/template, text/template: document glob semantics 2019-06-17 21:53:49 +00:00
transition_test.go
transition.go all: update comment URLs from HTTP to HTTPS, where possible 2018-06-01 21:52:00 +00:00
url_test.go html/template: add srcset content type 2017-12-14 19:54:38 +00:00
url.go all: use "reports whether" consistently in the few places that didn't 2018-11-02 22:47:58 +00:00
urlpart_string.go html/template: make more use of stringer 2018-02-20 15:44:01 +00:00