diff options
author | Mike Samuel <mikesamuel@gmail.com> | 2011-09-18 11:55:14 -0700 |
---|---|---|
committer | Mike Samuel <mikesamuel@gmail.com> | 2011-09-18 11:55:14 -0700 |
commit | e213a0c0fcd51f43d38b9423561989ed0b9e616c (patch) | |
tree | 72f0a95d70e639cac14cbf15d069ee83e76cd4ba | |
parent | 605e57d8fee696238f3338c415043f16a7743731 (diff) | |
download | go-e213a0c0fcd51f43d38b9423561989ed0b9e616c.tar.gz go-e213a0c0fcd51f43d38b9423561989ed0b9e616c.zip |
exp/template/html: recognize whitespace at start of URLs.
HTML5 uses "Valid URL potentially surrounded by spaces" for
attrs: http://www.w3.org/TR/html5/index.html#attributes-1
<a href=" {{.}}">
should be escaped to filter out "javascript:..." as data.
R=nigeltao
CC=golang-dev
https://golang.org/cl/5027045
-rw-r--r-- | src/pkg/exp/template/html/escape_test.go | 5 | ||||
-rw-r--r-- | src/pkg/exp/template/html/transition.go | 4 |
2 files changed, 8 insertions, 1 deletions
diff --git a/src/pkg/exp/template/html/escape_test.go b/src/pkg/exp/template/html/escape_test.go index 852104bf6c..b57a202f8f 100644 --- a/src/pkg/exp/template/html/escape_test.go +++ b/src/pkg/exp/template/html/escape_test.go @@ -121,6 +121,11 @@ func TestEscape(t *testing.T) { `<a href='#ZgotmplZ'>`, }, { + "dangerousURLStart2", + `<a href=' {{"javascript:alert(%22pwned%22)"}}'>`, + `<a href=' #ZgotmplZ'>`, + }, + { "nonHierURL", `<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`, `<a href=mailto:Muhammed "The Greatest" Ali <m.ali@example.com>>`, diff --git a/src/pkg/exp/template/html/transition.go b/src/pkg/exp/template/html/transition.go index 2449a50110..450dda43c4 100644 --- a/src/pkg/exp/template/html/transition.go +++ b/src/pkg/exp/template/html/transition.go @@ -169,7 +169,9 @@ func tAttr(c context, s []byte) (context, []byte) { func tURL(c context, s []byte) (context, []byte) { if bytes.IndexAny(s, "#?") >= 0 { c.urlPart = urlPartQueryOrFrag - } else if len(s) != 0 && c.urlPart == urlPartNone { + } else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone { + // HTML5 uses "Valid URL potentially surrounded by spaces" for + // attrs: http://www.w3.org/TR/html5/index.html#attributes-1 c.urlPart = urlPartPreQuery } return c, nil |