diff options
author | Tim Cooper <tim.cooper@layeh.com> | 2018-06-01 17:29:59 -0300 |
---|---|---|
committer | Ian Lance Taylor <iant@golang.org> | 2018-06-01 21:52:00 +0000 |
commit | 161874da2ab6d5372043a1f3938a81a19d1165ad (patch) | |
tree | 6662b46b3a1216501e2d37d71f3521e049e87b79 /src/html | |
parent | 7cb1810fe8117d4c5112ecea7a65f28f03009ef7 (diff) | |
download | go-161874da2ab6d5372043a1f3938a81a19d1165ad.tar.gz go-161874da2ab6d5372043a1f3938a81a19d1165ad.zip |
all: update comment URLs from HTTP to HTTPS, where possible
Each URL was manually verified to ensure it did not serve up incorrect
content.
Change-Id: I4dc846227af95a73ee9a3074d0c379ff0fa955df
Reviewed-on: https://go-review.googlesource.com/115798
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Diffstat (limited to 'src/html')
-rw-r--r-- | src/html/template/attr.go | 8 | ||||
-rw-r--r-- | src/html/template/content.go | 4 | ||||
-rw-r--r-- | src/html/template/context.go | 4 | ||||
-rw-r--r-- | src/html/template/css.go | 12 | ||||
-rw-r--r-- | src/html/template/escape.go | 4 | ||||
-rw-r--r-- | src/html/template/html.go | 4 | ||||
-rw-r--r-- | src/html/template/js.go | 2 | ||||
-rw-r--r-- | src/html/template/js_test.go | 4 | ||||
-rw-r--r-- | src/html/template/transition.go | 6 |
9 files changed, 24 insertions, 24 deletions
diff --git a/src/html/template/attr.go b/src/html/template/attr.go index 92d2789e80..22922e6038 100644 --- a/src/html/template/attr.go +++ b/src/html/template/attr.go @@ -13,9 +13,9 @@ import ( // other content, or affects the contents, idempotency, or credentials of a // network message, then the value in this map is contentTypeUnsafe. // This map is derived from HTML5, specifically -// http://www.w3.org/TR/html5/Overview.html#attributes-1 +// https://www.w3.org/TR/html5/Overview.html#attributes-1 // as well as "%URI"-typed attributes from -// http://www.w3.org/TR/html4/index/attributes.html +// https://www.w3.org/TR/html4/index/attributes.html var attrTypeMap = map[string]contentType{ "accept": contentTypePlain, "accept-charset": contentTypeUnsafe, @@ -90,7 +90,7 @@ var attrTypeMap = map[string]contentType{ "name": contentTypePlain, "novalidate": contentTypeUnsafe, // Skip handler names from - // http://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects + // https://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects // since we have special handling in attrType. "open": contentTypePlain, "optimum": contentTypePlain, @@ -160,7 +160,7 @@ func attrType(name string) contentType { // Heuristics to prevent "javascript:..." injection in custom // data attributes and custom attributes like g:tweetUrl. - // http://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes + // https://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes // "Custom data attributes are intended to store custom data // private to the page or application, for which there are no // more appropriate attributes or elements." diff --git a/src/html/template/content.go b/src/html/template/content.go index e7cdedc3b6..4aadf64df2 100644 --- a/src/html/template/content.go +++ b/src/html/template/content.go @@ -16,7 +16,7 @@ type ( // 2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`. // 3. CSS3 declaration productions, such as `color: red; margin: 2px`. // 4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`. - // See http://www.w3.org/TR/css3-syntax/#parsing and + // See https://www.w3.org/TR/css3-syntax/#parsing and // https://web.archive.org/web/20090211114933/http://w3.org/TR/css3-syntax#style // // Use of this type presents a security risk: @@ -85,7 +85,7 @@ type ( URL string // Srcset encapsulates a known safe srcset attribute - // (see http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-img-srcset). + // (see https://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-img-srcset). // // Use of this type presents a security risk: // the encapsulated content should come from a trusted source, diff --git a/src/html/template/context.go b/src/html/template/context.go index fdbf7e25ee..45be3a6a9f 100644 --- a/src/html/template/context.go +++ b/src/html/template/context.go @@ -13,7 +13,7 @@ import ( // // The zero value of type context is the start context for a template that // produces an HTML fragment as defined at -// http://www.w3.org/TR/html5/syntax.html#the-end +// https://www.w3.org/TR/html5/syntax.html#the-end // where the context element is null. type context struct { state state @@ -98,7 +98,7 @@ const ( // stateHTMLCmt occurs inside an <!-- HTML comment -->. stateHTMLCmt // stateRCDATA occurs inside an RCDATA element (<textarea> or <title>) - // as described at http://www.w3.org/TR/html5/syntax.html#elements-0 + // as described at https://www.w3.org/TR/html5/syntax.html#elements-0 stateRCDATA // stateAttr occurs inside an HTML attribute whose content is text. stateAttr diff --git a/src/html/template/css.go b/src/html/template/css.go index 9154d8636d..1587af8385 100644 --- a/src/html/template/css.go +++ b/src/html/template/css.go @@ -28,7 +28,7 @@ func endsWithCSSKeyword(b []byte, kw string) bool { } // Many CSS keywords, such as "!important" can have characters encoded, // but the URI production does not allow that according to - // http://www.w3.org/TR/css3-syntax/#TOK-URI + // https://www.w3.org/TR/css3-syntax/#TOK-URI // This does not attempt to recognize encoded keywords. For example, // given "\75\72\6c" and "url" this return false. return string(bytes.ToLower(b[i:])) == kw @@ -38,7 +38,7 @@ func endsWithCSSKeyword(b []byte, kw string) bool { func isCSSNmchar(r rune) bool { // Based on the CSS3 nmchar production but ignores multi-rune escape // sequences. - // http://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar + // https://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar return 'a' <= r && r <= 'z' || 'A' <= r && r <= 'Z' || '0' <= r && r <= '9' || @@ -53,7 +53,7 @@ func isCSSNmchar(r rune) bool { // decodeCSS decodes CSS3 escapes given a sequence of stringchars. // If there is no change, it returns the input, otherwise it returns a slice // backed by a new array. -// http://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar. +// https://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar. func decodeCSS(s []byte) []byte { i := bytes.IndexByte(s, '\\') if i == -1 { @@ -72,10 +72,10 @@ func decodeCSS(s []byte) []byte { if len(s) < 2 { break } - // http://www.w3.org/TR/css3-syntax/#SUBTOK-escape + // https://www.w3.org/TR/css3-syntax/#SUBTOK-escape // escape ::= unicode | '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF] if isHex(s[1]) { - // http://www.w3.org/TR/css3-syntax/#SUBTOK-unicode + // https://www.w3.org/TR/css3-syntax/#SUBTOK-unicode // unicode ::= '\' [0-9a-fA-F]{1,6} wc? j := 2 for j < len(s) && j < 7 && isHex(s[j]) { @@ -222,7 +222,7 @@ func cssValueFilter(args ...interface{}) string { b, id := decodeCSS([]byte(s)), make([]byte, 0, 64) // CSS3 error handling is specified as honoring string boundaries per - // http://www.w3.org/TR/css3-syntax/#error-handling : + // https://www.w3.org/TR/css3-syntax/#error-handling : // Malformed declarations. User agents must handle unexpected // tokens encountered while parsing a declaration by reading until // the end of the declaration, while observing the rules for diff --git a/src/html/template/escape.go b/src/html/template/escape.go index f87e9a69ea..8517620d3c 100644 --- a/src/html/template/escape.go +++ b/src/html/template/escape.go @@ -668,7 +668,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { } else if isComment(c.state) && c.delim == delimNone { switch c.state { case stateJSBlockCmt: - // http://es5.github.com/#x7.4: + // https://es5.github.com/#x7.4: // "Comments behave like white space and are // discarded except that, if a MultiLineComment // contains a line terminator character, then @@ -731,7 +731,7 @@ func contextAfterText(c context, s []byte) (context, int) { i = len(s) } if c.delim == delimSpaceOrTagEnd { - // http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state + // https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state // lists the runes below as error characters. // Error out because HTML parsers may differ on whether // "<a id= onclick=f(" ends inside id's or onclick's value, diff --git a/src/html/template/html.go b/src/html/template/html.go index de4aa4abb2..2ea5a7d4bc 100644 --- a/src/html/template/html.go +++ b/src/html/template/html.go @@ -50,12 +50,12 @@ func htmlEscaper(args ...interface{}) string { // htmlReplacementTable contains the runes that need to be escaped // inside a quoted attribute value or in a text node. var htmlReplacementTable = []string{ - // http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state + // https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state // U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT // CHARACTER character to the current attribute's value. // " // and similarly - // http://www.w3.org/TR/html5/syntax.html#before-attribute-value-state + // https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state 0: "\uFFFD", '"': """, '&': "&", diff --git a/src/html/template/js.go b/src/html/template/js.go index e02fdb9751..33a18b4186 100644 --- a/src/html/template/js.go +++ b/src/html/template/js.go @@ -24,7 +24,7 @@ import ( // "x = ++/foo/i" which is quite different than "x++/foo/i", but is not known to // fail on any known useful programs. It is based on the draft // JavaScript 2.0 lexical grammar and requires one token of lookbehind: -// http://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html +// https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html func nextJSCtx(s []byte, preceding jsCtx) jsCtx { s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") if len(s) == 0 { diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go index cf2a0d2987..12a850d6e3 100644 --- a/src/html/template/js_test.go +++ b/src/html/template/js_test.go @@ -191,7 +191,7 @@ func TestJSStrEscaper(t *testing.T) { {"</script>", `\x3c\/script\x3e`}, {"<![CDATA[", `\x3c![CDATA[`}, {"]]>", `]]\x3e`}, - // http://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span + // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span // "The text in style, script, title, and textarea elements // must not have an escaping text span start that is not // followed by an escaping text span end." @@ -203,7 +203,7 @@ func TestJSStrEscaper(t *testing.T) { // injection followed by an HTML text injection. {"<!--", `\x3c!--`}, {"-->", `--\x3e`}, - // From http://code.google.com/p/doctype/wiki/ArticleUtf7 + // From https://code.google.com/p/doctype/wiki/ArticleUtf7 {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, }, diff --git a/src/html/template/transition.go b/src/html/template/transition.go index c72cf1ea60..06df679330 100644 --- a/src/html/template/transition.go +++ b/src/html/template/transition.go @@ -254,7 +254,7 @@ func tURL(c context, s []byte) (context, int) { c.urlPart = urlPartQueryOrFrag } else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone { // HTML5 uses "Valid URL potentially surrounded by spaces" for - // attrs: http://www.w3.org/TR/html5/index.html#attributes-1 + // attrs: https://www.w3.org/TR/html5/index.html#attributes-1 c.urlPart = urlPartPreQuery } return c, len(s) @@ -380,7 +380,7 @@ func tLineCmt(c context, s []byte) (context, int) { // are supported by the 4 major browsers. // This defines line comments as // LINECOMMENT ::= "//" [^\n\f\d]* - // since http://www.w3.org/TR/css3-syntax/#SUBTOK-nl defines + // since https://www.w3.org/TR/css3-syntax/#SUBTOK-nl defines // newlines: // nl ::= #xA | #xD #xA | #xD | #xC default: @@ -392,7 +392,7 @@ func tLineCmt(c context, s []byte) (context, int) { return c, len(s) } c.state = endState - // Per section 7.4 of EcmaScript 5 : http://es5.github.com/#x7.4 + // Per section 7.4 of EcmaScript 5 : https://es5.github.com/#x7.4 // "However, the LineTerminator at the end of the line is not // considered to be part of the single-line comment; it is // recognized separately by the lexical grammar and becomes part |