search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
PR ada/81103
[official-gcc.git] / libgo / go / html / template / escape.go
blob5963194be6fe326ad4824b6679d7c247540a0b56
1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package template
6
7 import (
8 "bytes"
9 "fmt"
10 "html"
11 "io"
12 "text/template"
13 "text/template/parse"
14 )
15
16 // escapeTemplate rewrites the named template, which must be
17 // associated with t, to guarantee that the output of any of the named
18 // templates is properly escaped. If no error is returned, then the named templates have
19 // been modified. Otherwise the named templates have been rendered
20 // unusable.
21 func escapeTemplate(tmpl *Template, node parse.Node, name string) error {
22 c, _ := tmpl.esc.escapeTree(context{}, node, name, 0)
23 var err error
24 if c.err != nil {
25 err, c.err.Name = c.err, name
26 } else if c.state != stateText {
27 err = &Error{ErrEndContext, nil, name, 0, fmt.Sprintf("ends in a non-text context: %v", c)}
28 }
29 if err != nil {
30 // Prevent execution of unsafe templates.
31 if t := tmpl.set[name]; t != nil {
32 t.escapeErr = err
33 t.text.Tree = nil
34 t.Tree = nil
35 }
36 return err
37 }
38 tmpl.esc.commit()
39 if t := tmpl.set[name]; t != nil {
40 t.escapeErr = escapeOK
41 t.Tree = t.text.Tree
42 }
43 return nil
44 }
45
46 // evalArgs formats the list of arguments into a string. It is equivalent to
47 // fmt.Sprint(args...), except that it deferences all pointers.
48 func evalArgs(args ...interface{}) string {
49 // Optimization for simple common case of a single string argument.
50 if len(args) == 1 {
51 if s, ok := args[0].(string); ok {
52 return s
53 }
54 }
55 for i, arg := range args {
56 args[i] = indirectToStringerOrError(arg)
57 }
58 return fmt.Sprint(args...)
59 }
60
61 // funcMap maps command names to functions that render their inputs safe.
62 var funcMap = template.FuncMap{
63 "_html_template_attrescaper": attrEscaper,
64 "_html_template_commentescaper": commentEscaper,
65 "_html_template_cssescaper": cssEscaper,
66 "_html_template_cssvaluefilter": cssValueFilter,
67 "_html_template_htmlnamefilter": htmlNameFilter,
68 "_html_template_htmlescaper": htmlEscaper,
69 "_html_template_jsregexpescaper": jsRegexpEscaper,
70 "_html_template_jsstrescaper": jsStrEscaper,
71 "_html_template_jsvalescaper": jsValEscaper,
72 "_html_template_nospaceescaper": htmlNospaceEscaper,
73 "_html_template_rcdataescaper": rcdataEscaper,
74 "_html_template_srcsetescaper": srcsetFilterAndEscaper,
75 "_html_template_urlescaper": urlEscaper,
76 "_html_template_urlfilter": urlFilter,
77 "_html_template_urlnormalizer": urlNormalizer,
78 "_eval_args_": evalArgs,
79 }
80
81 // escaper collects type inferences about templates and changes needed to make
82 // templates injection safe.
83 type escaper struct {
84 // ns is the nameSpace that this escaper is associated with.
85 ns *nameSpace
86 // output[templateName] is the output context for a templateName that
87 // has been mangled to include its input context.
88 output map[string]context
89 // derived[c.mangle(name)] maps to a template derived from the template
90 // named name templateName for the start context c.
91 derived map[string]*template.Template
92 // called[templateName] is a set of called mangled template names.
93 called map[string]bool
94 // xxxNodeEdits are the accumulated edits to apply during commit.
95 // Such edits are not applied immediately in case a template set
96 // executes a given template in different escaping contexts.
97 actionNodeEdits map[*parse.ActionNode][]string
98 templateNodeEdits map[*parse.TemplateNode]string
99 textNodeEdits map[*parse.TextNode][]byte
100 }
101
102 // makeEscaper creates a blank escaper for the given set.
103 func makeEscaper(n *nameSpace) escaper {
104 return escaper{
105 n,
106 map[string]context{},
107 map[string]*template.Template{},
108 map[string]bool{},
109 map[*parse.ActionNode][]string{},
110 map[*parse.TemplateNode]string{},
111 map[*parse.TextNode][]byte{},
112 }
113 }
114
115 // filterFailsafe is an innocuous word that is emitted in place of unsafe values
116 // by sanitizer functions. It is not a keyword in any programming language,
117 // contains no special characters, is not empty, and when it appears in output
118 // it is distinct enough that a developer can find the source of the problem
119 // via a search engine.
120 const filterFailsafe = "ZgotmplZ"
121
122 // escape escapes a template node.
123 func (e *escaper) escape(c context, n parse.Node) context {
124 switch n := n.(type) {
125 case *parse.ActionNode:
126 return e.escapeAction(c, n)
127 case *parse.IfNode:
128 return e.escapeBranch(c, &n.BranchNode, "if")
129 case *parse.ListNode:
130 return e.escapeList(c, n)
131 case *parse.RangeNode:
132 return e.escapeBranch(c, &n.BranchNode, "range")
133 case *parse.TemplateNode:
134 return e.escapeTemplate(c, n)
135 case *parse.TextNode:
136 return e.escapeText(c, n)
137 case *parse.WithNode:
138 return e.escapeBranch(c, &n.BranchNode, "with")
139 }
140 panic("escaping " + n.String() + " is unimplemented")
141 }
142
143 // escapeAction escapes an action template node.
144 func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
145 if len(n.Pipe.Decl) != 0 {
146 // A local variable assignment, not an interpolation.
147 return c
148 }
149 c = nudge(c)
150 // Check for disallowed use of predefined escapers in the pipeline.
151 for pos, idNode := range n.Pipe.Cmds {
152 node, ok := idNode.Args[0].(*parse.IdentifierNode)
153 if !ok {
154 // A predefined escaper "esc" will never be found as an identifier in a
155 // Chain or Field node, since:
156 // - "esc.x ..." is invalid, since predefined escapers return strings, and
157 // strings do not have methods, keys or fields.
158 // - "... .esc" is invalid, since predefined escapers are global functions,
159 // not methods or fields of any types.
160 // Therefore, it is safe to ignore these two node types.
161 continue
162 }
163 ident := node.Ident
164 if _, ok := predefinedEscapers[ident]; ok {
165 if pos < len(n.Pipe.Cmds)-1 ||
166 c.state == stateAttr && c.delim == delimSpaceOrTagEnd && ident == "html" {
167 return context{
168 state: stateError,
169 err: errorf(ErrPredefinedEscaper, n, n.Line, "predefined escaper %q disallowed in template", ident),
170 }
171 }
172 }
173 }
174 s := make([]string, 0, 3)
175 switch c.state {
176 case stateError:
177 return c
178 case stateURL, stateCSSDqStr, stateCSSSqStr, stateCSSDqURL, stateCSSSqURL, stateCSSURL:
179 switch c.urlPart {
180 case urlPartNone:
181 s = append(s, "_html_template_urlfilter")
182 fallthrough
183 case urlPartPreQuery:
184 switch c.state {
185 case stateCSSDqStr, stateCSSSqStr:
186 s = append(s, "_html_template_cssescaper")
187 default:
188 s = append(s, "_html_template_urlnormalizer")
189 }
190 case urlPartQueryOrFrag:
191 s = append(s, "_html_template_urlescaper")
192 case urlPartUnknown:
193 return context{
194 state: stateError,
195 err: errorf(ErrAmbigContext, n, n.Line, "%s appears in an ambiguous context within a URL", n),
196 }
197 default:
198 panic(c.urlPart.String())
199 }
200 case stateJS:
201 s = append(s, "_html_template_jsvalescaper")
202 // A slash after a value starts a div operator.
203 c.jsCtx = jsCtxDivOp
204 case stateJSDqStr, stateJSSqStr:
205 s = append(s, "_html_template_jsstrescaper")
206 case stateJSRegexp:
207 s = append(s, "_html_template_jsregexpescaper")
208 case stateCSS:
209 s = append(s, "_html_template_cssvaluefilter")
210 case stateText:
211 s = append(s, "_html_template_htmlescaper")
212 case stateRCDATA:
213 s = append(s, "_html_template_rcdataescaper")
214 case stateAttr:
215 // Handled below in delim check.
216 case stateAttrName, stateTag:
217 c.state = stateAttrName
218 s = append(s, "_html_template_htmlnamefilter")
219 case stateSrcset:
220 s = append(s, "_html_template_srcsetescaper")
221 default:
222 if isComment(c.state) {
223 s = append(s, "_html_template_commentescaper")
224 } else {
225 panic("unexpected state " + c.state.String())
226 }
227 }
228 switch c.delim {
229 case delimNone:
230 // No extra-escaping needed for raw text content.
231 case delimSpaceOrTagEnd:
232 s = append(s, "_html_template_nospaceescaper")
233 default:
234 s = append(s, "_html_template_attrescaper")
235 }
236 e.editActionNode(n, s)
237 return c
238 }
239
240 // ensurePipelineContains ensures that the pipeline ends with the commands with
241 // the identifiers in s in order. If the pipeline ends with a predefined escaper
242 // (i.e. "html" or "urlquery"), merge it with the identifiers in s.
243 func ensurePipelineContains(p *parse.PipeNode, s []string) {
244 if len(s) == 0 {
245 // Do not rewrite pipeline if we have no escapers to insert.
246 return
247 }
248 // Precondition: p.Cmds contains at most one predefined escaper and the
249 // escaper will be present at p.Cmds[len(p.Cmds)-1]. This precondition is
250 // always true because of the checks in escapeAction.
251 pipelineLen := len(p.Cmds)
252 if pipelineLen > 0 {
253 lastCmd := p.Cmds[pipelineLen-1]
254 if idNode, ok := lastCmd.Args[0].(*parse.IdentifierNode); ok {
255 if esc := idNode.Ident; predefinedEscapers[esc] {
256 // Pipeline ends with a predefined escaper.
257 if len(p.Cmds) == 1 && len(lastCmd.Args) > 1 {
258 // Special case: pipeline is of the form {{ esc arg1 arg2 ... argN }},
259 // where esc is the predefined escaper, and arg1...argN are its arguments.
260 // Convert this into the equivalent form
261 // {{ _eval_args_ arg1 arg2 ... argN | esc }}, so that esc can be easily
262 // merged with the escapers in s.
263 lastCmd.Args[0] = parse.NewIdentifier("_eval_args_").SetTree(nil).SetPos(lastCmd.Args[0].Position())
264 p.Cmds = appendCmd(p.Cmds, newIdentCmd(esc, p.Position()))
265 pipelineLen++
266 }
267 // If any of the commands in s that we are about to insert is equivalent
268 // to the predefined escaper, use the predefined escaper instead.
269 dup := false
270 for i, escaper := range s {
271 if escFnsEq(esc, escaper) {
272 s[i] = idNode.Ident
273 dup = true
274 }
275 }
276 if dup {
277 // The predefined escaper will already be inserted along with the
278 // escapers in s, so do not copy it to the rewritten pipeline.
279 pipelineLen--
280 }
281 }
282 }
283 }
284 // Rewrite the pipeline, creating the escapers in s at the end of the pipeline.
285 newCmds := make([]*parse.CommandNode, pipelineLen, pipelineLen+len(s))
286 insertedIdents := make(map[string]bool)
287 for i := 0; i < pipelineLen; i++ {
288 cmd := p.Cmds[i]
289 newCmds[i] = cmd
290 if idNode, ok := cmd.Args[0].(*parse.IdentifierNode); ok {
291 insertedIdents[normalizeEscFn(idNode.Ident)] = true
292 }
293 }
294 for _, name := range s {
295 if !insertedIdents[normalizeEscFn(name)] {
296 // When two templates share an underlying parse tree via the use of
297 // AddParseTree and one template is executed after the other, this check
298 // ensures that escapers that were already inserted into the pipeline on
299 // the first escaping pass do not get inserted again.
300 newCmds = appendCmd(newCmds, newIdentCmd(name, p.Position()))
301 }
302 }
303 p.Cmds = newCmds
304 }
305
306 // predefinedEscapers contains template predefined escapers that are equivalent
307 // to some contextual escapers. Keep in sync with equivEscapers.
308 var predefinedEscapers = map[string]bool{
309 "html": true,
310 "urlquery": true,
311 }
312
313 // equivEscapers matches contextual escapers to equivalent predefined
314 // template escapers.
315 var equivEscapers = map[string]string{
316 // The following pairs of HTML escapers provide equivalent security
317 // guarantees, since they all escape '\000', '\'', '"', '&', '<', and '>'.
318 "_html_template_attrescaper": "html",
319 "_html_template_htmlescaper": "html",
320 "_html_template_rcdataescaper": "html",
321 // These two URL escapers produce URLs safe for embedding in a URL query by
322 // percent-encoding all the reserved characters specified in RFC 3986 Section
323 // 2.2
324 "_html_template_urlescaper": "urlquery",
325 // These two functions are not actually equivalent; urlquery is stricter as it
326 // escapes reserved characters (e.g. '#'), while _html_template_urlnormalizer
327 // does not. It is therefore only safe to replace _html_template_urlnormalizer
328 // with urlquery (this happens in ensurePipelineContains), but not the otherI've
329 // way around. We keep this entry around to preserve the behavior of templates
330 // written before Go 1.9, which might depend on this substitution taking place.
331 "_html_template_urlnormalizer": "urlquery",
332 }
333
334 // escFnsEq reports whether the two escaping functions are equivalent.
335 func escFnsEq(a, b string) bool {
336 return normalizeEscFn(a) == normalizeEscFn(b)
337 }
338
339 // normalizeEscFn(a) is equal to normalizeEscFn(b) for any pair of names of
340 // escaper functions a and b that are equivalent.
341 func normalizeEscFn(e string) string {
342 if norm := equivEscapers[e]; norm != "" {
343 return norm
344 }
345 return e
346 }
347
348 // redundantFuncs[a][b] implies that funcMap[b](funcMap[a](x)) == funcMap[a](x)
349 // for all x.
350 var redundantFuncs = map[string]map[string]bool{
351 "_html_template_commentescaper": {
352 "_html_template_attrescaper": true,
353 "_html_template_nospaceescaper": true,
354 "_html_template_htmlescaper": true,
355 },
356 "_html_template_cssescaper": {
357 "_html_template_attrescaper": true,
358 },
359 "_html_template_jsregexpescaper": {
360 "_html_template_attrescaper": true,
361 },
362 "_html_template_jsstrescaper": {
363 "_html_template_attrescaper": true,
364 },
365 "_html_template_urlescaper": {
366 "_html_template_urlnormalizer": true,
367 },
368 }
369
370 // appendCmd appends the given command to the end of the command pipeline
371 // unless it is redundant with the last command.
372 func appendCmd(cmds []*parse.CommandNode, cmd *parse.CommandNode) []*parse.CommandNode {
373 if n := len(cmds); n != 0 {
374 last, okLast := cmds[n-1].Args[0].(*parse.IdentifierNode)
375 next, okNext := cmd.Args[0].(*parse.IdentifierNode)
376 if okLast && okNext && redundantFuncs[last.Ident][next.Ident] {
377 return cmds
378 }
379 }
380 return append(cmds, cmd)
381 }
382
383 // indexOfStr is the first i such that eq(s, strs[i]) or -1 if s was not found.
384 func indexOfStr(s string, strs []string, eq func(a, b string) bool) int {
385 for i, t := range strs {
386 if eq(s, t) {
387 return i
388 }
389 }
390 return -1
391 }
392
393 // newIdentCmd produces a command containing a single identifier node.
394 func newIdentCmd(identifier string, pos parse.Pos) *parse.CommandNode {
395 return &parse.CommandNode{
396 NodeType: parse.NodeCommand,
397 Args: []parse.Node{parse.NewIdentifier(identifier).SetTree(nil).SetPos(pos)}, // TODO: SetTree.
398 }
399 }
400
401 // nudge returns the context that would result from following empty string
402 // transitions from the input context.
403 // For example, parsing:
404 // `<a href=`
405 // will end in context{stateBeforeValue, attrURL}, but parsing one extra rune:
406 // `<a href=x`
407 // will end in context{stateURL, delimSpaceOrTagEnd, ...}.
408 // There are two transitions that happen when the 'x' is seen:
409 // (1) Transition from a before-value state to a start-of-value state without
410 // consuming any character.
411 // (2) Consume 'x' and transition past the first value character.
412 // In this case, nudging produces the context after (1) happens.
413 func nudge(c context) context {
414 switch c.state {
415 case stateTag:
416 // In `<foo {{.}}`, the action should emit an attribute.
417 c.state = stateAttrName
418 case stateBeforeValue:
419 // In `<foo bar={{.}}`, the action is an undelimited value.
420 c.state, c.delim, c.attr = attrStartStates[c.attr], delimSpaceOrTagEnd, attrNone
421 case stateAfterName:
422 // In `<foo bar {{.}}`, the action is an attribute name.
423 c.state, c.attr = stateAttrName, attrNone
424 }
425 return c
426 }
427
428 // join joins the two contexts of a branch template node. The result is an
429 // error context if either of the input contexts are error contexts, or if the
430 // the input contexts differ.
431 func join(a, b context, node parse.Node, nodeName string) context {
432 if a.state == stateError {
433 return a
434 }
435 if b.state == stateError {
436 return b
437 }
438 if a.eq(b) {
439 return a
440 }
441
442 c := a
443 c.urlPart = b.urlPart
444 if c.eq(b) {
445 // The contexts differ only by urlPart.
446 c.urlPart = urlPartUnknown
447 return c
448 }
449
450 c = a
451 c.jsCtx = b.jsCtx
452 if c.eq(b) {
453 // The contexts differ only by jsCtx.
454 c.jsCtx = jsCtxUnknown
455 return c
456 }
457
458 // Allow a nudged context to join with an unnudged one.
459 // This means that
460 // <p title={{if .C}}{{.}}{{end}}
461 // ends in an unquoted value state even though the else branch
462 // ends in stateBeforeValue.
463 if c, d := nudge(a), nudge(b); !(c.eq(a) && d.eq(b)) {
464 if e := join(c, d, node, nodeName); e.state != stateError {
465 return e
466 }
467 }
468
469 return context{
470 state: stateError,
471 err: errorf(ErrBranchEnd, node, 0, "{{%s}} branches end in different contexts: %v, %v", nodeName, a, b),
472 }
473 }
474
475 // escapeBranch escapes a branch template node: "if", "range" and "with".
476 func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context {
477 c0 := e.escapeList(c, n.List)
478 if nodeName == "range" && c0.state != stateError {
479 // The "true" branch of a "range" node can execute multiple times.
480 // We check that executing n.List once results in the same context
481 // as executing n.List twice.
482 c1, _ := e.escapeListConditionally(c0, n.List, nil)
483 c0 = join(c0, c1, n, nodeName)
484 if c0.state == stateError {
485 // Make clear that this is a problem on loop re-entry
486 // since developers tend to overlook that branch when
487 // debugging templates.
488 c0.err.Line = n.Line
489 c0.err.Description = "on range loop re-entry: " + c0.err.Description
490 return c0
491 }
492 }
493 c1 := e.escapeList(c, n.ElseList)
494 return join(c0, c1, n, nodeName)
495 }
496
497 // escapeList escapes a list template node.
498 func (e *escaper) escapeList(c context, n *parse.ListNode) context {
499 if n == nil {
500 return c
501 }
502 for _, m := range n.Nodes {
503 c = e.escape(c, m)
504 }
505 return c
506 }
507
508 // escapeListConditionally escapes a list node but only preserves edits and
509 // inferences in e if the inferences and output context satisfy filter.
510 // It returns the best guess at an output context, and the result of the filter
511 // which is the same as whether e was updated.
512 func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
513 e1 := makeEscaper(e.ns)
514 // Make type inferences available to f.
515 for k, v := range e.output {
516 e1.output[k] = v
517 }
518 c = e1.escapeList(c, n)
519 ok := filter != nil && filter(&e1, c)
520 if ok {
521 // Copy inferences and edits from e1 back into e.
522 for k, v := range e1.output {
523 e.output[k] = v
524 }
525 for k, v := range e1.derived {
526 e.derived[k] = v
527 }
528 for k, v := range e1.called {
529 e.called[k] = v
530 }
531 for k, v := range e1.actionNodeEdits {
532 e.editActionNode(k, v)
533 }
534 for k, v := range e1.templateNodeEdits {
535 e.editTemplateNode(k, v)
536 }
537 for k, v := range e1.textNodeEdits {
538 e.editTextNode(k, v)
539 }
540 }
541 return c, ok
542 }
543
544 // escapeTemplate escapes a {{template}} call node.
545 func (e *escaper) escapeTemplate(c context, n *parse.TemplateNode) context {
546 c, name := e.escapeTree(c, n, n.Name, n.Line)
547 if name != n.Name {
548 e.editTemplateNode(n, name)
549 }
550 return c
551 }
552
553 // escapeTree escapes the named template starting in the given context as
554 // necessary and returns its output context.
555 func (e *escaper) escapeTree(c context, node parse.Node, name string, line int) (context, string) {
556 // Mangle the template name with the input context to produce a reliable
557 // identifier.
558 dname := c.mangle(name)
559 e.called[dname] = true
560 if out, ok := e.output[dname]; ok {
561 // Already escaped.
562 return out, dname
563 }
564 t := e.template(name)
565 if t == nil {
566 // Two cases: The template exists but is empty, or has never been mentioned at
567 // all. Distinguish the cases in the error messages.
568 if e.ns.set[name] != nil {
569 return context{
570 state: stateError,
571 err: errorf(ErrNoSuchTemplate, node, line, "%q is an incomplete or empty template", name),
572 }, dname
573 }
574 return context{
575 state: stateError,
576 err: errorf(ErrNoSuchTemplate, node, line, "no such template %q", name),
577 }, dname
578 }
579 if dname != name {
580 // Use any template derived during an earlier call to escapeTemplate
581 // with different top level templates, or clone if necessary.
582 dt := e.template(dname)
583 if dt == nil {
584 dt = template.New(dname)
585 dt.Tree = &parse.Tree{Name: dname, Root: t.Root.CopyList()}
586 e.derived[dname] = dt
587 }
588 t = dt
589 }
590 return e.computeOutCtx(c, t), dname
591 }
592
593 // computeOutCtx takes a template and its start context and computes the output
594 // context while storing any inferences in e.
595 func (e *escaper) computeOutCtx(c context, t *template.Template) context {
596 // Propagate context over the body.
597 c1, ok := e.escapeTemplateBody(c, t)
598 if !ok {
599 // Look for a fixed point by assuming c1 as the output context.
600 if c2, ok2 := e.escapeTemplateBody(c1, t); ok2 {
601 c1, ok = c2, true
602 }
603 // Use c1 as the error context if neither assumption worked.
604 }
605 if !ok && c1.state != stateError {
606 return context{
607 state: stateError,
608 err: errorf(ErrOutputContext, t.Tree.Root, 0, "cannot compute output context for template %s", t.Name()),
609 }
610 }
611 return c1
612 }
613
614 // escapeTemplateBody escapes the given template assuming the given output
615 // context, and returns the best guess at the output context and whether the
616 // assumption was correct.
617 func (e *escaper) escapeTemplateBody(c context, t *template.Template) (context, bool) {
618 filter := func(e1 *escaper, c1 context) bool {
619 if c1.state == stateError {
620 // Do not update the input escaper, e.
621 return false
622 }
623 if !e1.called[t.Name()] {
624 // If t is not recursively called, then c1 is an
625 // accurate output context.
626 return true
627 }
628 // c1 is accurate if it matches our assumed output context.
629 return c.eq(c1)
630 }
631 // We need to assume an output context so that recursive template calls
632 // take the fast path out of escapeTree instead of infinitely recursing.
633 // Naively assuming that the input context is the same as the output
634 // works >90% of the time.
635 e.output[t.Name()] = c
636 return e.escapeListConditionally(c, t.Tree.Root, filter)
637 }
638
639 // delimEnds maps each delim to a string of characters that terminate it.
640 var delimEnds = [...]string{
641 delimDoubleQuote: `"`,
642 delimSingleQuote: "'",
643 // Determined empirically by running the below in various browsers.
644 // var div = document.createElement("DIV");
645 // for (var i = 0; i < 0x10000; ++i) {
646 // div.innerHTML = "<span title=x" + String.fromCharCode(i) + "-bar>";
647 // if (div.getElementsByTagName("SPAN")[0].title.indexOf("bar") < 0)
648 // document.write("<p>U+" + i.toString(16));
649 // }
650 delimSpaceOrTagEnd: " \t\n\f\r>",
651 }
652
653 var doctypeBytes = []byte("<!DOCTYPE")
654
655 // escapeText escapes a text template node.
656 func (e *escaper) escapeText(c context, n *parse.TextNode) context {
657 s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
658 for i != len(s) {
659 c1, nread := contextAfterText(c, s[i:])
660 i1 := i + nread
661 if c.state == stateText || c.state == stateRCDATA {
662 end := i1
663 if c1.state != c.state {
664 for j := end - 1; j >= i; j-- {
665 if s[j] == '<' {
666 end = j
667 break
668 }
669 }
670 }
671 for j := i; j < end; j++ {
672 if s[j] == '<' && !bytes.HasPrefix(bytes.ToUpper(s[j:]), doctypeBytes) {
673 b.Write(s[written:j])
674 b.WriteString("&lt;")
675 written = j + 1
676 }
677 }
678 } else if isComment(c.state) && c.delim == delimNone {
679 switch c.state {
680 case stateJSBlockCmt:
681 // http://es5.github.com/#x7.4:
682 // "Comments behave like white space and are
683 // discarded except that, if a MultiLineComment
684 // contains a line terminator character, then
685 // the entire comment is considered to be a
686 // LineTerminator for purposes of parsing by
687 // the syntactic grammar."
688 if bytes.ContainsAny(s[written:i1], "\n\r\u2028\u2029") {
689 b.WriteByte('\n')
690 } else {
691 b.WriteByte(' ')
692 }
693 case stateCSSBlockCmt:
694 b.WriteByte(' ')
695 }
696 written = i1
697 }
698 if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
699 // Preserve the portion between written and the comment start.
700 cs := i1 - 2
701 if c1.state == stateHTMLCmt {
702 // "<!--" instead of "/*" or "//"
703 cs -= 2
704 }
705 b.Write(s[written:cs])
706 written = i1
707 }
708 if i == i1 && c.state == c1.state {
709 panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
710 }
711 c, i = c1, i1
712 }
713
714 if written != 0 && c.state != stateError {
715 if !isComment(c.state) || c.delim != delimNone {
716 b.Write(n.Text[written:])
717 }
718 e.editTextNode(n, b.Bytes())
719 }
720 return c
721 }
722
723 // contextAfterText starts in context c, consumes some tokens from the front of
724 // s, then returns the context after those tokens and the unprocessed suffix.
725 func contextAfterText(c context, s []byte) (context, int) {
726 if c.delim == delimNone {
727 c1, i := tSpecialTagEnd(c, s)
728 if i == 0 {
729 // A special end tag (`</script>`) has been seen and
730 // all content preceding it has been consumed.
731 return c1, 0
732 }
733 // Consider all content up to any end tag.
734 return transitionFunc[c.state](c, s[:i])
735 }
736
737 // We are at the beginning of an attribute value.
738
739 i := bytes.IndexAny(s, delimEnds[c.delim])
740 if i == -1 {
741 i = len(s)
742 }
743 if c.delim == delimSpaceOrTagEnd {
744 // http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
745 // lists the runes below as error characters.
746 // Error out because HTML parsers may differ on whether
747 // "<a id= onclick=f(" ends inside id's or onclick's value,
748 // "<a class=`foo " ends inside a value,
749 // "<a style=font:'Arial'" needs open-quote fixup.
750 // IE treats '`' as a quotation character.
751 if j := bytes.IndexAny(s[:i], "\"'<=`"); j >= 0 {
752 return context{
753 state: stateError,
754 err: errorf(ErrBadHTML, nil, 0, "%q in unquoted attr: %q", s[j:j+1], s[:i]),
755 }, len(s)
756 }
757 }
758 if i == len(s) {
759 // Remain inside the attribute.
760 // Decode the value so non-HTML rules can easily handle
761 // <button onclick="alert(&quot;Hi!&quot;)">
762 // without having to entity decode token boundaries.
763 for u := []byte(html.UnescapeString(string(s))); len(u) != 0; {
764 c1, i1 := transitionFunc[c.state](c, u)
765 c, u = c1, u[i1:]
766 }
767 return c, len(s)
768 }
769
770 element := c.element
771
772 // If this is a non-JS "type" attribute inside "script" tag, do not treat the contents as JS.
773 if c.state == stateAttr && c.element == elementScript && c.attr == attrScriptType && !isJSType(string(s[:i])) {
774 element = elementNone
775 }
776
777 if c.delim != delimSpaceOrTagEnd {
778 // Consume any quote.
779 i++
780 }
781 // On exiting an attribute, we discard all state information
782 // except the state and element.
783 return context{state: stateTag, element: element}, i
784 }
785
786 // editActionNode records a change to an action pipeline for later commit.
787 func (e *escaper) editActionNode(n *parse.ActionNode, cmds []string) {
788 if _, ok := e.actionNodeEdits[n]; ok {
789 panic(fmt.Sprintf("node %s shared between templates", n))
790 }
791 e.actionNodeEdits[n] = cmds
792 }
793
794 // editTemplateNode records a change to a {{template}} callee for later commit.
795 func (e *escaper) editTemplateNode(n *parse.TemplateNode, callee string) {
796 if _, ok := e.templateNodeEdits[n]; ok {
797 panic(fmt.Sprintf("node %s shared between templates", n))
798 }
799 e.templateNodeEdits[n] = callee
800 }
801
802 // editTextNode records a change to a text node for later commit.
803 func (e *escaper) editTextNode(n *parse.TextNode, text []byte) {
804 if _, ok := e.textNodeEdits[n]; ok {
805 panic(fmt.Sprintf("node %s shared between templates", n))
806 }
807 e.textNodeEdits[n] = text
808 }
809
810 // commit applies changes to actions and template calls needed to contextually
811 // autoescape content and adds any derived templates to the set.
812 func (e *escaper) commit() {
813 for name := range e.output {
814 e.template(name).Funcs(funcMap)
815 }
816 // Any template from the name space associated with this escaper can be used
817 // to add derived templates to the underlying text/template name space.
818 tmpl := e.arbitraryTemplate()
819 for _, t := range e.derived {
820 if _, err := tmpl.text.AddParseTree(t.Name(), t.Tree); err != nil {
821 panic("error adding derived template")
822 }
823 }
824 for n, s := range e.actionNodeEdits {
825 ensurePipelineContains(n.Pipe, s)
826 }
827 for n, name := range e.templateNodeEdits {
828 n.Name = name
829 }
830 for n, s := range e.textNodeEdits {
831 n.Text = s
832 }
833 // Reset state that is specific to this commit so that the same changes are
834 // not re-applied to the template on subsequent calls to commit.
835 e.called = make(map[string]bool)
836 e.actionNodeEdits = make(map[*parse.ActionNode][]string)
837 e.templateNodeEdits = make(map[*parse.TemplateNode]string)
838 e.textNodeEdits = make(map[*parse.TextNode][]byte)
839 }
840
841 // template returns the named template given a mangled template name.
842 func (e *escaper) template(name string) *template.Template {
843 // Any template from the name space associated with this escaper can be used
844 // to look up templates in the underlying text/template name space.
845 t := e.arbitraryTemplate().text.Lookup(name)
846 if t == nil {
847 t = e.derived[name]
848 }
849 return t
850 }
851
852 // arbitraryTemplate returns an arbitrary template from the name space
853 // associated with e and panics if no templates are found.
854 func (e *escaper) arbitraryTemplate() *Template {
855 for _, t := range e.ns.set {
856 return t
857 }
858 panic("no templates in name space")
859 }
860
861 // Forwarding functions so that clients need only import this package
862 // to reach the general escaping functions of text/template.
863
864 // HTMLEscape writes to w the escaped HTML equivalent of the plain text data b.
865 func HTMLEscape(w io.Writer, b []byte) {
866 template.HTMLEscape(w, b)
867 }
868
869 // HTMLEscapeString returns the escaped HTML equivalent of the plain text data s.
870 func HTMLEscapeString(s string) string {
871 return template.HTMLEscapeString(s)
872 }
873
874 // HTMLEscaper returns the escaped HTML equivalent of the textual
875 // representation of its arguments.
876 func HTMLEscaper(args ...interface{}) string {
877 return template.HTMLEscaper(args...)
878 }
879
880 // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
881 func JSEscape(w io.Writer, b []byte) {
882 template.JSEscape(w, b)
883 }
884
885 // JSEscapeString returns the escaped JavaScript equivalent of the plain text data s.
886 func JSEscapeString(s string) string {
887 return template.JSEscapeString(s)
888 }
889
890 // JSEscaper returns the escaped JavaScript equivalent of the textual
891 // representation of its arguments.
892 func JSEscaper(args ...interface{}) string {
893 return template.JSEscaper(args...)
894 }
895
896 // URLQueryEscaper returns the escaped value of the textual representation of
897 // its arguments in a form suitable for embedding in a URL query.
898 func URLQueryEscaper(args ...interface{}) string {
899 return template.URLQueryEscaper(args...)
900 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org