Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(376)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 5119041: code review 5119041: exp/template/html: handle custom attrs and HTML5 embedd... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
13 years, 11 months ago by MikeSamuel
Modified:
13 years, 10 months ago
Reviewers:
CC:
nigeltao, golang-dev
Visibility:
Public.

Description

exp/template/html: handle custom attrs and HTML5 embedded elements. HTML5 allows embedded SVG and MathML. Code searches show SVG is used for graphing. This changes transition to deal with constructs like <svg xmlns:xlink="http://www.w3.org/1999/xlink"> It changes attr and clients to call a single function that combines the name lookup and "on" prefix check to determine an attribute value type given an attribute name. That function uses heuristics to recognize that xlink:href and svg:href have URL content, and that data-url is likely contains URL content, since "javascript:" injection is such a problem. I did a code search over a closure templates codebase to determine patterns of custom attribute usage. I did something like $ find . -name \*.soy | \ xargs egrep perl -ne 'while (s/\b((data-|\w+:)\w+)\s*=//) { print "$1\n"; }' | \ sort | uniq to produce the list at the bottom. Filtering that by egrep -i 'src|url|uri' produces data-docConsumptionUri data-docIconUrl data-launchUrl data-lazySrc data-pageUrl data-shareurl data-suggestServerUrl data-tweetUrl g:secondaryurls g:url which seem to match all the ones that are likely URL content. There are some short words that match that heuristic, but I still think it decent since any custom attribute that has a numeric or enumerated keyword value will be unaffected by the URL assumption. Counterexamples from /usr/share/dict: during, hourly, maturity, nourish, purloin, security, surly Custom attributes present in existing closure templates codebase: buzz:aid data-a data-action data-actor data-allowEqualityOps data-analyticsId data-bid data-c data-cartId data-categoryId data-cid data-command data-count data-country data-creativeId data-cssToken data-dest data-docAttribution data-docConsumptionUri data-docCurrencyCode data-docIconUrl data-docId data-docPrice data-docPriceMicros data-docTitle data-docType data-docid data-email data-entityid data-errorindex data-f data-feature data-fgid data-filter data-fireEvent data-followable data-followed data-hashChange data-height data-hover data-href data-id data-index data-invitable data-isFree data-isPurchased data-jid data-jumpid data-launchUrl data-lazySrc data-listType data-maxVisiblePages data-name data-nid data-nodeid data-numItems data-numPerPage data-offerType data-oid data-opUsesEquality data-overflowclass data-packageName data-pageId data-pageUrl data-pos data-priceBrief data-profileIds data-query data-rating data-ref data-rentalGrantPeriodDays data-rentalactivePeriodHours data-reviewId data-role data-score data-shareurl data-showGeLe data-showLineInclude data-size data-sortval data-suggestServerType data-suggestServerUrl data-suggestionIndex data-tabBarId data-tabBarIndex data-tags data-target data-textColor data-theme data-title data-toggletarget data-tooltip data-trailerId data-transactionId data-transition data-ts data-tweetContent data-tweetUrl data-type data-useAjax data-value data-width data-x dm:index dm:type g:aspects g:decorateusingsecondary g:em g:entity g:groups g:id g:istoplevel g:li g:numresults g:oid g:parentId g:pl g:pt g:rating_override g:secondaryurls g:sortby g:startindex g:target g:type g:url g:value ga:barsize ga:css ga:expandAfterCharsExceed ga:initialNumRows ga:nocancelicon ga:numRowsToExpandTo ga:type ga:unlockwhenrated gw:address gw:businessname gw:comment gw:phone gw:source ng:controller xlink:href xml:lang xmlns:atom xmlns:dc xmlns:jstd xmlns:ng xmlns:og xmlns:webstore xmlns:xlink

Patch Set 1 #

Patch Set 2 : diff -r 8f9a4a1003f9 https://go.googlecode.com/hg/ #

Patch Set 3 : diff -r 8f9a4a1003f9 https://go.googlecode.com/hg/ #

Patch Set 4 : diff -r 8f9a4a1003f9 https://go.googlecode.com/hg/ #

Total comments: 10

Patch Set 5 : diff -r 51f8e9c7cb59 https://go.googlecode.com/hg/ #

Patch Set 6 : diff -r 05f0f5fe5d5e https://go.googlecode.com/hg/ #

Patch Set 7 : diff -r 6c5c19791fae https://go.googlecode.com/hg/ #

Patch Set 8 : diff -r 215f5a8a5892 https://go.googlecode.com/hg/ #

Unified diffs Side-by-side diffs Delta from patch set Stats (+247 lines, -183 lines) Patch
M src/pkg/exp/template/html/attr.go View 1 2 3 4 1 chunk +161 lines, -170 lines 0 comments Download
M src/pkg/exp/template/html/escape_test.go View 1 2 3 4 5 6 7 1 chunk +60 lines, -0 lines 0 comments Download
M src/pkg/exp/template/html/html.go View 1 2 3 4 1 chunk +1 line, -1 line 0 comments Download
M src/pkg/exp/template/html/transition.go View 1 2 3 4 2 chunks +25 lines, -12 lines 0 comments Download

Messages

Total messages: 4
MikeSamuel
Hello nigeltao@golang.org (cc: golang-dev@googlegroups.com), I'd like you to review this change to https://go.googlecode.com/hg/
13 years, 11 months ago (2011-09-23 20:19:53 UTC) #1
nigeltao
LGTM. http://codereview.appspot.com/5119041/diff/2005/src/pkg/exp/template/html/attr.go File src/pkg/exp/template/html/attr.go (right): http://codereview.appspot.com/5119041/diff/2005/src/pkg/exp/template/html/attr.go#newcode94 src/pkg/exp/template/html/attr.go:94: // since we have special handling in attrOfType. ...
13 years, 10 months ago (2011-09-25 09:03:13 UTC) #2
MikeSamuel
http://codereview.appspot.com/5119041/diff/2005/src/pkg/exp/template/html/attr.go File src/pkg/exp/template/html/attr.go (right): http://codereview.appspot.com/5119041/diff/2005/src/pkg/exp/template/html/attr.go#newcode94 src/pkg/exp/template/html/attr.go:94: // since we have special handling in attrOfType. On ...
13 years, 10 months ago (2011-09-26 11:50:32 UTC) #3
MikeSamuel
13 years, 10 months ago (2011-09-28 21:07:52 UTC) #4 
*** Submitted as http://code.google.com/p/go/source/detail?r=224c7e1777ed ***

exp/template/html: handle custom attrs and HTML5 embedded elements.

HTML5 allows embedded SVG and MathML.
Code searches show SVG is used for graphing.

This changes transition to deal with constructs like
   <svg xmlns:xlink="http://www.w3.org/1999/xlink">
It changes attr and clients to call a single function that combines
the name lookup and "on" prefix check to determine an attribute
value type given an attribute name.

That function uses heuristics to recognize that
     xlink:href and svg:href
have URL content, and that data-url is likely contains URL content,
since "javascript:" injection is such a problem.

I did a code search over a closure templates codebase to determine
patterns of custom attribute usage.  I did something like

$ find . -name \*.soy | \
    xargs egrep perl -ne 'while (s/\b((data-|\w+:)\w+)\s*=//) { print "$1\n"; }'
| \
    sort | uniq

to produce the list at the bottom.

Filtering that by egrep -i 'src|url|uri' produces

data-docConsumptionUri
data-docIconUrl
data-launchUrl
data-lazySrc
data-pageUrl
data-shareurl
data-suggestServerUrl
data-tweetUrl
g:secondaryurls
g:url

which seem to match all the ones that are likely URL content.
There are some short words that match that heuristic, but I still think it
decent since
any custom attribute that has a numeric or enumerated keyword value will be
unaffected by
the URL assumption.
Counterexamples from /usr/share/dict:
during, hourly, maturity, nourish, purloin, security, surly

Custom attributes present in existing closure templates codebase:
buzz:aid
data-a
data-action
data-actor
data-allowEqualityOps
data-analyticsId
data-bid
data-c
data-cartId
data-categoryId
data-cid
data-command
data-count
data-country
data-creativeId
data-cssToken
data-dest
data-docAttribution
data-docConsumptionUri
data-docCurrencyCode
data-docIconUrl
data-docId
data-docPrice
data-docPriceMicros
data-docTitle
data-docType
data-docid
data-email
data-entityid
data-errorindex
data-f
data-feature
data-fgid
data-filter
data-fireEvent
data-followable
data-followed
data-hashChange
data-height
data-hover
data-href
data-id
data-index
data-invitable
data-isFree
data-isPurchased
data-jid
data-jumpid
data-launchUrl
data-lazySrc
data-listType
data-maxVisiblePages
data-name
data-nid
data-nodeid
data-numItems
data-numPerPage
data-offerType
data-oid
data-opUsesEquality
data-overflowclass
data-packageName
data-pageId
data-pageUrl
data-pos
data-priceBrief
data-profileIds
data-query
data-rating
data-ref
data-rentalGrantPeriodDays
data-rentalactivePeriodHours
data-reviewId
data-role
data-score
data-shareurl
data-showGeLe
data-showLineInclude
data-size
data-sortval
data-suggestServerType
data-suggestServerUrl
data-suggestionIndex
data-tabBarId
data-tabBarIndex
data-tags
data-target
data-textColor
data-theme
data-title
data-toggletarget
data-tooltip
data-trailerId
data-transactionId
data-transition
data-ts
data-tweetContent
data-tweetUrl
data-type
data-useAjax
data-value
data-width
data-x
dm:index
dm:type
g:aspects
g:decorateusingsecondary
g:em
g:entity
g:groups
g:id
g:istoplevel
g:li
g:numresults
g:oid
g:parentId
g:pl
g:pt
g:rating_override
g:secondaryurls
g:sortby
g:startindex
g:target
g:type
g:url
g:value
ga:barsize
ga:css
ga:expandAfterCharsExceed
ga:initialNumRows
ga:nocancelicon
ga:numRowsToExpandTo
ga:type
ga:unlockwhenrated
gw:address
gw:businessname
gw:comment
gw:phone
gw:source
ng:controller
xlink:href
xml:lang
xmlns:atom
xmlns:dc
xmlns:jstd
xmlns:ng
xmlns:og
xmlns:webstore
xmlns:xlink

R=nigeltao
CC=golang-dev
http://codereview.appspot.com/5119041
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b