Commit b1d6fa51 authored by Mike Samuel's avatar Mike Samuel

html/template: reenable testcases and fix mis-escaped sequences.

Tighter octal parsing broke some tests and were disabled in
https://golang.org/cl/5530051

Those tests were broken.  The CSS decoder was supposed to see CSS
hex escape sequences of the form '\' <hex>+, but those escape
sequences were instead being consumed by the template parser.

This change properly escapes those escape sequences, and uses
proper escaping for NULs.

R=golang-dev, rsc, nigeltao
CC=golang-dev
https://golang.org/cl/5529073
parent 81728cf0
......@@ -300,23 +300,21 @@ func TestEscape(t *testing.T) {
`<p style="color: {{"#8ff"}}; background: {{"#000"}}">`,
`<p style="color: #8ff; background: #000">`,
},
// This test is broken by the fix to issue 2658.
// {
// "styleObfuscatedExpressionBlocked",
// `<p style="width: {{" e\78preS\0Sio/**/n(alert(1337))"}}">`,
// `<p style="width: ZgotmplZ">`,
// },
{
"styleObfuscatedExpressionBlocked",
`<p style="width: {{" e\\78preS\x00Sio/**/n(alert(1337))"}}">`,
`<p style="width: ZgotmplZ">`,
},
{
"styleMozBindingBlocked",
`<p style="{{"-moz-binding(alert(1337))"}}: ...">`,
`<p style="ZgotmplZ: ...">`,
},
// This test is broken by the fix to issue 2658.
// {
// "styleObfuscatedMozBindingBlocked",
// `<p style="{{" -mo\7a-B\0I/**/nding(alert(1337))"}}: ...">`,
// `<p style="ZgotmplZ: ...">`,
// },
{
"styleObfuscatedMozBindingBlocked",
`<p style="{{" -mo\\7a-B\x00I/**/nding(alert(1337))"}}: ...">`,
`<p style="ZgotmplZ: ...">`,
},
{
"styleFontNameString",
`<p style='font-family: "{{"Times New Roman"}}"'>`,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment