diff options
author | Tom Thorogood <me+google@tomthorogood.co.uk> | 2019-08-02 07:53:44 +0000 |
---|---|---|
committer | Dmitri Shuralyov <dmitshur@golang.org> | 2019-09-02 21:39:04 +0000 |
commit | 2e65ef623b36bd4070d0d4cc50f0bc3fc86c1c85 (patch) | |
tree | a2bcdafa651c9ef1248276bf364d9a84f54184a9 | |
parent | d7b402a49a8ef5af911d7873bdbc5f61335f1d41 (diff) | |
download | go-2e65ef623b36bd4070d0d4cc50f0bc3fc86c1c85.tar.gz go-2e65ef623b36bd4070d0d4cc50f0bc3fc86c1c85.zip |
[release-branch.go1.13] encoding/json: revert Compact HTML escaping documentation
This partly reverts CL 173417 as it incorrectly documented that Compact
performed HTML escaping and the output was safe to embed inside HTML
<script> tags. This has never been true.
Although Compact does escape U+2028 and U+2029, it doesn't escape <, >
or &. Compact is thus only performing a subset of HTML escaping and it's
output is not safe to embed inside HTML <script> tags.
A more complete fix would be for Compact to either never perform any
HTML escaping, as it was prior to CL 10883045, or to actually perform
the same HTML escaping as HTMLEscape. Neither change is likely safe
enough for go1.13.
Fixes #34006
Updates #30357
Change-Id: I912f0fe9611097d988048b28228c4a5b985080ba
GitHub-Last-Rev: aebababc9233c5705785b225377e80096d4bb8c4
GitHub-Pull-Request: golang/go#33427
Reviewed-on: https://go-review.googlesource.com/c/go/+/188717
Reviewed-by: Daniel Martà <mvdan@mvdan.cc>
Run-TryBot: Daniel Martà <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
(cherry picked from commit 79669dc705aa8fcddc8f9407c568e4317d619dfe)
Reviewed-on: https://go-review.googlesource.com/c/go/+/192747
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Run-TryBot: Andrew Bonventre <andybons@golang.org>
-rw-r--r-- | src/encoding/json/indent.go | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/src/encoding/json/indent.go b/src/encoding/json/indent.go index 1b49a369e3..fba19548c9 100644 --- a/src/encoding/json/indent.go +++ b/src/encoding/json/indent.go @@ -8,9 +8,6 @@ import "bytes" // Compact appends to dst the JSON-encoded src with // insignificant space characters elided. -// Like Marshal, Compact applies HTMLEscape to any -// string literals so that the JSON will be safe to embed -// inside HTML <script> tags. func Compact(dst *bytes.Buffer, src []byte) error { return compact(dst, src, false) } |