mirror of
https://github.com/golang/go
synced 2024-11-18 10:14:45 -07:00
9ffd9339da
Report an error if a predefined escaper (i.e. "html", "urlquery", or "js") is found in a pipeline that will be rewritten by the contextual auto-escaper, instead of trying to merge the escaper-inserted escaping directives with these predefined escapers. This merging behavior is a source of several security and correctness bugs (eee #19336, #19345, #19352, and #19353.) This merging logic was originally intended to ease migration of text/template templates with user-defined escapers to html/template. Now that migration is no longer an issue, this logic can be safely removed. NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers. Fixes #19336, #19345, #19352, #19353 Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49 Reviewed-on: https://go-review.googlesource.com/37880 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> |
||
|---|---|---|
| .. | ||
| attr.go | ||
| clone_test.go | ||
| content_test.go | ||
| content.go | ||
| context.go | ||
| css_test.go | ||
| css.go | ||
| doc.go | ||
| error.go | ||
| escape_test.go | ||
| escape.go | ||
| example_test.go | ||
| examplefiles_test.go | ||
| html_test.go | ||
| html.go | ||
| js_test.go | ||
| js.go | ||
| template_test.go | ||
| template.go | ||
| transition_test.go | ||
| transition.go | ||
| url_test.go | ||
| url.go | ||