Commit 37714151 authored by Mike Samuel's avatar Mike Samuel

exp/template/html: fix infinite loop in escapeText on bad input

The template
    "<a="
caused an infinite loop in escape text.

The change to tTag fixes that and the change to escape.go causes
escapeText to panic on any infinite loop that does not involve
a state cycle.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5115041
parent 66cdd020
...@@ -598,6 +598,9 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { ...@@ -598,6 +598,9 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
b.Write(s[written:cs]) b.Write(s[written:cs])
written = i1 written = i1
} }
if i == i1 && c.state == c1.state {
panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
}
c, i = c1, i1 c, i = c1, i1
} }
......
...@@ -904,6 +904,10 @@ func TestErrors(t *testing.T) { ...@@ -904,6 +904,10 @@ func TestErrors(t *testing.T) {
`<a style=font:'Arial'>`, `<a style=font:'Arial'>`,
`exp/template/html:z: "'" in unquoted attr: "font:'Arial'"`, `exp/template/html:z: "'" in unquoted attr: "font:'Arial'"`,
}, },
{
`<a=foo>`,
`: expected space, attr name, or end of tag, but got "=foo>"`,
},
} }
for _, test := range tests { for _, test := range tests {
......
...@@ -100,26 +100,30 @@ func tTag(c context, s []byte) (context, int) { ...@@ -100,26 +100,30 @@ func tTag(c context, s []byte) (context, int) {
return context{state: stateError, err: err}, len(s) return context{state: stateError, err: err}, len(s)
} }
state, attr := stateTag, attrNone state, attr := stateTag, attrNone
if i != j { if i == j {
canonAttrName := strings.ToLower(string(s[i:j])) return context{
switch attrType[canonAttrName] { state: stateError,
case contentTypeURL: err: errorf(ErrBadHTML, 0, "expected space, attr name, or end of tag, but got %q", s[i:]),
attr = attrURL }, len(s)
case contentTypeCSS: }
attr = attrStyle canonAttrName := strings.ToLower(string(s[i:j]))
case contentTypeJS: switch attrType[canonAttrName] {
case contentTypeURL:
attr = attrURL
case contentTypeCSS:
attr = attrStyle
case contentTypeJS:
attr = attrScript
default:
if strings.HasPrefix(canonAttrName, "on") {
attr = attrScript attr = attrScript
default:
if strings.HasPrefix(canonAttrName, "on") {
attr = attrScript
}
}
if j == len(s) {
state = stateAttrName
} else {
state = stateAfterName
} }
} }
if j == len(s) {
state = stateAttrName
} else {
state = stateAfterName
}
return context{state: state, element: c.element, attr: attr}, j return context{state: state, element: c.element, attr: attr}, j
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment