diff options
| author | empijei <robclap8@gmail.com> | 2020-03-27 19:27:55 +0100 |
|---|---|---|
| committer | Daniel Martí <mvdan@mvdan.cc> | 2020-04-16 17:13:33 +0000 |
| commit | d4d298040d072ddacea0e0d6b55fb148fff18070 (patch) | |
| tree | b36c1068e498b09f0e1b320c2784ba14ddf4ec8b /src/text | |
| parent | 71a671839f95fb43091316c72cae87c049c81bce (diff) | |
| download | go-d4d298040d072ddacea0e0d6b55fb148fff18070.tar.gz go-d4d298040d072ddacea0e0d6b55fb148fff18070.zip | |
html/template,text/template: switch to Unicode escapes for JSON compatibility
The existing implementation is not compatible with JSON
escape as it uses hex escaping.
Unicode escape, instead, is valid for both JSON and JS.
This fix avoids creating a separate escaping context for
scripts of type "application/ld+json" and it is more
future-proof in case more JSON+JS contexts get added
to the platform (e.g. import maps).
Fixes #33671
Fixes #37634
Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
Reviewed-by: Carl Johnson <me@carlmjohnson.net>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Diffstat (limited to 'src/text')
| -rw-r--r-- | src/text/template/exec_test.go | 6 | ||||
| -rw-r--r-- | src/text/template/funcs.go | 8 |
2 files changed, 7 insertions, 7 deletions
diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go index 77294eda4b..b8a809eee7 100644 --- a/src/text/template/exec_test.go +++ b/src/text/template/exec_test.go @@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) { {`Go "jump" \`, `Go \"jump\" \\`}, {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`}, {"unprintable \uFDFF", `unprintable \uFDFF`}, - {`<html>`, `\x3Chtml\x3E`}, - {`no = in attributes`, `no \x3D in attributes`}, - {`' does not become HTML entity`, `\x26#x27; does not become HTML entity`}, + {`<html>`, `\u003Chtml\u003E`}, + {`no = in attributes`, `no \u003D in attributes`}, + {`' does not become HTML entity`, `\u0026#x27; does not become HTML entity`}, } for _, tc := range testCases { s := JSEscapeString(tc.in) diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go index fb56bc3fc6..1b6940a84a 100644 --- a/src/text/template/funcs.go +++ b/src/text/template/funcs.go @@ -653,10 +653,10 @@ var ( jsBackslash = []byte(`\\`) jsApos = []byte(`\'`) jsQuot = []byte(`\"`) - jsLt = []byte(`\x3C`) - jsGt = []byte(`\x3E`) - jsAmp = []byte(`\x26`) - jsEq = []byte(`\x3D`) + jsLt = []byte(`\u003C`) + jsGt = []byte(`\u003E`) + jsAmp = []byte(`\u0026`) + jsEq = []byte(`\u003D`) ) // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. |