| OLD | NEW |
|---|
| 1 // Copyright 2011 The Go Authors. All rights reserved. | 1 // Copyright 2011 The Go Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
| 3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package template | 5 package template |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "fmt" | 8 "fmt" |
| 9 "reflect" | 9 "reflect" |
| 10 ) | 10 ) |
| 11 | 11 |
| 12 // Strings of content from a trusted source. | 12 // Strings of content from a trusted source. |
| 13 type ( | 13 type ( |
| 14 // CSS encapsulates known safe content that matches any of: | 14 // CSS encapsulates known safe content that matches any of: |
| 15 » // (1) The CSS3 stylesheet production, such as `p { color: purple }`. | 15 » // 1. The CSS3 stylesheet production, such as `p { color: purple }`. |
| 16 » // (2) The CSS3 rule production, such as `a[href=~"https:"].foo#bar`. | 16 » // 2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`. |
| 17 » // (3) CSS3 declaration productions, such as `color: red; margin: 2px`. | 17 » // 3. CSS3 declaration productions, such as `color: red; margin: 2px`. |
| 18 » // (4) The CSS3 value production, such as `rgba(0, 0, 255, 127)`. | 18 » // 4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`. |
| 19 // See http://www.w3.org/TR/css3-syntax/#style | 19 // See http://www.w3.org/TR/css3-syntax/#style |
| 20 CSS string | 20 CSS string |
| 21 | 21 |
| 22 // HTML encapsulates a known safe HTML document fragment. | 22 // HTML encapsulates a known safe HTML document fragment. |
| 23 // It should not be used for HTML from a third-party, or HTML with | 23 // It should not be used for HTML from a third-party, or HTML with |
| 24 // unclosed tags or comments. The outputs of a sound HTML sanitizer | 24 // unclosed tags or comments. The outputs of a sound HTML sanitizer |
| 25 // and a template escaped by this package are fine for use with HTML. | 25 // and a template escaped by this package are fine for use with HTML. |
| 26 HTML string | 26 HTML string |
| 27 | 27 |
| 28 // HTMLAttr encapsulates an HTML attribute from a trusted source, | 28 // HTMLAttr encapsulates an HTML attribute from a trusted source, |
| 29 // for example: ` dir="ltr"`. | 29 // for example: ` dir="ltr"`. |
| 30 HTMLAttr string | 30 HTMLAttr string |
| 31 | 31 |
| 32 // JS encapsulates a known safe EcmaScript5 Expression, or example, | 32 // JS encapsulates a known safe EcmaScript5 Expression, or example, |
| 33 // `(x + y * z())`.· | 33 // `(x + y * z())`.· |
| 34 // Template authors are responsible for ensuring that typed expressions | 34 // Template authors are responsible for ensuring that typed expressions |
| 35 // do not break the intended precedence and that there is no | 35 // do not break the intended precedence and that there is no |
| 36 // statement/expression ambiguity as when passing an expression like | 36 // statement/expression ambiguity as when passing an expression like |
| 37 // "{ foo: bar() }\n['foo']()", which is both a valid Expression and a | 37 // "{ foo: bar() }\n['foo']()", which is both a valid Expression and a |
| 38 // valid Program with a very different meaning. | 38 // valid Program with a very different meaning. |
| 39 JS string | 39 JS string |
| 40 | 40 |
| 41 // JSStr encapsulates a sequence of characters meant to be embedded | 41 // JSStr encapsulates a sequence of characters meant to be embedded |
| 42 // between quotes in a JavaScript expression. | 42 // between quotes in a JavaScript expression. |
| 43 // The string must match a series of StringCharacters: | 43 // The string must match a series of StringCharacters: |
| 44 » // StringCharacter :: SourceCharacter but not `\` or LineTerminator | 44 » // StringCharacter :: SourceCharacter but not `\` or LineTerminator |
| 45 » // | EscapeSequence | 45 » // | EscapeSequence |
| 46 // Note that LineContinuations are not allowed. | 46 // Note that LineContinuations are not allowed. |
| 47 // JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not. | 47 // JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not. |
| 48 JSStr string | 48 JSStr string |
| 49 | 49 |
| 50 // URL encapsulates a known safe URL as defined in RFC 3896. | 50 // URL encapsulates a known safe URL as defined in RFC 3896. |
| 51 // A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` | 51 // A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` |
| 52 // from a trusted source should go in the page, but by default dynamic | 52 // from a trusted source should go in the page, but by default dynamic |
| 53 // `javascript:` URLs are filtered out since they are a frequently | 53 // `javascript:` URLs are filtered out since they are a frequently |
| 54 // exploited injection vector. | 54 // exploited injection vector. |
| 55 URL string | 55 URL string |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 return string(s), contentTypeJSStr | 104 return string(s), contentTypeJSStr |
| 105 case URL: | 105 case URL: |
| 106 return string(s), contentTypeURL | 106 return string(s), contentTypeURL |
| 107 } | 107 } |
| 108 } | 108 } |
| 109 for i, arg := range args { | 109 for i, arg := range args { |
| 110 args[i] = indirect(arg) | 110 args[i] = indirect(arg) |
| 111 } | 111 } |
| 112 return fmt.Sprint(args...), contentTypePlain | 112 return fmt.Sprint(args...), contentTypePlain |
| 113 } | 113 } |
| OLD | NEW |
|---|
