• Samuel Tan's avatar
    html/template: allow safe usage of predefined escapers in pipelines · 3a2fee03
    Samuel Tan authored
    Allow the predefined escapers "html", "urlquery", and "js" to be used
    in pipelines when they have no potential to affect the correctness or
    safety of the escaped pipeline output. Specifically:
    - "urlquery" may be used if it is the last command in the pipeline.
    - "html" may be used if it is the last command in the pipeline, and
      the pipeline does not occur in an unquoted HTML attribute value
      context.
    - "js" may be used in any pipeline, since it does not affect the
      merging of contextual escapers.
    
    This change will loosens the restrictions on predefined escapers
    introduced in golang.org/cl/37880, which will hopefully ease the
    upgrade path for existing template users.
    
    This change brings back the escaper-merging logic, and associated
    unit tests, that were removed in golang.org/cl/37880. However, a
    few notable changes have been made:
    - "_html_template_nospaceescaper" is no longer considered
      equivalent to "html", since the former escapes spaces, while
      the latter does not (see #19345). This change should not silently
      break any templates, since pipelines where this substituion will
      happen will already trigger an explicit error.
    - An "_eval_args_" internal directive has been added to
      handle pipelines containing a single explicit call to a
      predefined escaper, e.g. {{html .X}} (see #19353).
    
    Also, the HTMLEscape function called by the predefined
    text/template "html" function now escapes the NULL character as
    well. This effectively makes it as secure as the internal
    html/template HTML escapers (see #19345). While this change is
    backward-incompatible, it will only affect illegitimate uses
    of this escaper, since the NULL character is always illegal in
    valid HTML.
    
    Fixes #19952
    
    Change-Id: I9b5570a80a3ea284b53901e6a1f842fc59b33d3a
    Reviewed-on: https://go-review.googlesource.com/40936Reviewed-by: default avatarRuss Cox <rsc@golang.org>
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    3a2fee03
escape_test.go 46.1 KB