Commit 94e9a5e1 authored by Roberto Clapis's avatar Roberto Clapis Committed by Filippo Valsorda

text/template: harden JSEscape to also escape ampersand and equal

Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.

This change makes it harder to introduce XSS by misusing
escaping.

Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.

Fixes #35665

Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
Reviewed-by: default avatarMike Samuel <mikesamuel@gmail.com>
Reviewed-by: default avatarAndrew Bonventre <andybons@golang.org>
Reviewed-by: default avatarDaniel Martí <mvdan@mvdan.cc>
parent f4a8bf12
...@@ -116,9 +116,9 @@ func Example_escape() { ...@@ -116,9 +116,9 @@ func Example_escape() {
// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt; // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt; // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
// &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt; // &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
// \"Fran & Freddie\'s Diner\" \x3Ctasty@example.com\x3E // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
// \"Fran & Freddie\'s Diner\" \x3Ctasty@example.com\x3E // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
// \"Fran & Freddie\'s Diner\"32\x3Ctasty@example.com\x3E // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
// %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
} }
......
...@@ -909,6 +909,8 @@ func TestJSEscaping(t *testing.T) { ...@@ -909,6 +909,8 @@ func TestJSEscaping(t *testing.T) {
{`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`}, {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
{"unprintable \uFDFF", `unprintable \uFDFF`}, {"unprintable \uFDFF", `unprintable \uFDFF`},
{`<html>`, `\x3Chtml\x3E`}, {`<html>`, `\x3Chtml\x3E`},
{`no = in attributes`, `no \x3D in attributes`},
{`&#x27; does not become HTML entity`, `\x26#x27; does not become HTML entity`},
} }
for _, tc := range testCases { for _, tc := range testCases {
s := JSEscapeString(tc.in) s := JSEscapeString(tc.in)
......
...@@ -642,6 +642,8 @@ var ( ...@@ -642,6 +642,8 @@ var (
jsQuot = []byte(`\"`) jsQuot = []byte(`\"`)
jsLt = []byte(`\x3C`) jsLt = []byte(`\x3C`)
jsGt = []byte(`\x3E`) jsGt = []byte(`\x3E`)
jsAmp = []byte(`\x26`)
jsEq = []byte(`\x3D`)
) )
// JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
...@@ -670,6 +672,10 @@ func JSEscape(w io.Writer, b []byte) { ...@@ -670,6 +672,10 @@ func JSEscape(w io.Writer, b []byte) {
w.Write(jsLt) w.Write(jsLt)
case '>': case '>':
w.Write(jsGt) w.Write(jsGt)
case '&':
w.Write(jsAmp)
case '=':
w.Write(jsEq)
default: default:
w.Write(jsLowUni) w.Write(jsLowUni)
t, b := c>>4, c&0x0f t, b := c>>4, c&0x0f
...@@ -704,7 +710,7 @@ func JSEscapeString(s string) string { ...@@ -704,7 +710,7 @@ func JSEscapeString(s string) string {
func jsIsSpecial(r rune) bool { func jsIsSpecial(r rune) bool {
switch r { switch r {
case '\\', '\'', '"', '<', '>': case '\\', '\'', '"', '<', '>', '&', '=':
return true return true
} }
return r < ' ' || utf8.RuneSelf <= r return r < ' ' || utf8.RuneSelf <= r
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment