1
0
mirror of https://github.com/golang/go synced 2024-11-21 23:44:39 -07:00
go/src
Mike Samuel ce008f8c37 exp/template/html: pre-sanitized content
Not all content is plain text.  Sometimes content comes from a trusted
source, such as another template invocation, an HTML tag whitelister,
etc.

Template authors can deal with over-escaping in two ways.

1) They can encapsulate known-safe content via
   type HTML, type CSS, type URL, and friends in content.go.
2) If they know that the for a particular action never needs escaping
   then they can add |noescape to the pipeline.
   {{.KnownSafeContent | noescape}}
   which will prevent any escaping directives from being added.

This CL defines string type aliases: HTML, CSS, JS, URI, ...
It then modifies stringify to unpack the content type.
Finally it modifies the escaping functions to use the content type and
decline to escape content that does not require it.

There are minor changes to escapeAction and helpers to treat as
equivalent explicit escaping directives such as "html" and "urlquery"
and the escaping directives defined in the contextual autoescape module
and to recognize the special "noescape" directive.

The html escaping functions are rearranged.  Instead of having one
escaping function used in each {{.}} in

    {{.}} : <textarea title="{{.}}">{{.}}</textarea>

a slightly different escaping function is used for each.
When {{.}} binds to a pre-sanitized string of HTML

    `one < <i>two</i> &amp; two < "3"`

we produces something like

     one < <i>two</i> &amp; two < "3" :
     <textarea title="one &lt; two &amp; two &lt; &#34;3&#34;">
       one &lt; &lt;i&gt;two&lt;/i&gt; &amp; two &lt; "3"
     </textarea>

Although escaping is not required in <textarea> normally, if the
substring </textarea> is injected, then it breaks, so we normalize
special characters in RCDATA and do the same to preserve attribute
boundaries.  We also strip tags since developers never intend
typed HTML injected in an attribute to contain tags escaped, but
do occasionally confuse pre-escaped HTML with HTML from a
tag-whitelister.

R=golang-dev, nigeltao
CC=golang-dev
https://golang.org/cl/4962067
2011-09-15 08:51:55 -07:00
..
cmd godoc: support for complete index serialization 2011-09-14 20:46:03 -07:00
lib9 build: fix unused parameters 2011-08-25 16:08:13 -04:00
libbio
libmach libmach: fix incorrect use of memset 2011-09-01 13:43:03 -04:00
pkg exp/template/html: pre-sanitized content 2011-09-15 08:51:55 -07:00
all-qemu.bash build: update all-qemu.bash 2011-07-28 13:04:30 -04:00
all.bash
clean.bash
env.bash build: fix noclobber 2011-07-28 19:38:14 -04:00
make.bash make.bash: remove old bash version of gotest on Windows 2011-05-04 11:16:55 +10:00
Make.ccmd build: explain $PWD use 2011-06-22 17:00:46 -04:00
Make.clib build: explain $PWD use 2011-06-22 17:00:46 -04:00
Make.cmd make: add nuke target for C commands and libs 2011-05-11 22:53:42 -04:00
Make.common make: prevent rm provoking 'text file busy' errors. 2011-04-15 08:25:44 -04:00
Make.inc build: avoid redundant bss declarations 2011-08-23 22:39:14 -04:00
Make.pkg gc: add -p flag to catch import cycles earlier 2011-09-07 15:50:21 -04:00
quietgcc.bash build: handle spaces in $USER 2011-07-28 13:04:52 -04:00
run.bash build: allow builds without cgo 2011-08-10 21:36:48 -04:00
sudo.bash sudo.bash: print error/exit if problem with /usr/local/bin 2011-09-01 17:24:32 +10:00
version.bash version.bash: update VERSION on -save if already present 2011-08-24 22:10:25 -03:00