Fixes #2258

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5016048

R=adg
TBR=adg
CC=golang-dev
https://golang.org/cl/5024046

R=adg
CC=golang-dev
https://golang.org/cl/5018044

Not all content is plain text.  Sometimes content comes from a trusted
source, such as another template invocation, an HTML tag whitelister,
etc.

Template authors can deal with over-escaping in two ways.

1) They can encapsulate known-safe content via
   type HTML, type CSS, type URL, and friends in content.go.
2) If they know that the for a particular action never needs escaping
   then they can add |noescape to the pipeline.
   {{.KnownSafeContent | noescape}}
   which will prevent any escaping directives from being added.

This CL defines string type aliases: HTML, CSS, JS, URI, ...
It then modifies stringify to unpack the content type.
Finally it modifies the escaping functions to use the content type and
decline to escape content that does not require it.

There are minor changes to escapeAction and helpers to treat as
equivalent explicit escaping directives such as "html" and "urlquery"
and the escaping directives defined in the contextual autoescape module
and to recognize the special "noescape" directive.

The html escaping functions are rearranged.  Instead of having one
escaping function used in each {{.}} in

    {{.}} : <textarea title="{{.}}">{{.}}</textarea>

a slightly different escaping function is used for each.
When {{.}} binds to a pre-sanitized string of HTML

    `one < <i>two</i> &amp; two < "3"`

we produces something like

     one < <i>two</i> &amp; two < "3" :
     <textarea title="one &lt; two &amp; two &lt; &#34;3&#34;">
       one &lt; &lt;i&gt;two&lt;/i&gt; &amp; two &lt; "3"
     </textarea>

Although escaping is not required in <textarea> normally, if the
substring </textarea> is injected, then it breaks, so we normalize
special characters in RCDATA and do the same to preserve attribute
boundaries.  We also strip tags since developers never intend
typed HTML injected in an attribute to contain tags escaped, but
do occasionally confuse pre-escaped HTML with HTML from a
tag-whitelister.

R=golang-dev, nigeltao
CC=golang-dev
https://golang.org/cl/4962067

R=r
CC=golang-dev
https://golang.org/cl/5002041

- now fulltext index information is saved/restored
- minor updates to appinit.go

R=rsc
CC=golang-dev
https://golang.org/cl/5024043

R=rsc
CC=golang-dev
https://golang.org/cl/5024042

This moots a caveat in the proposed package documentation by
rendering useless any template that could not be escaped.

From https://golang.org/cl/4969078/
> If EscapeSet returns an error, do not Execute the set; it is not
> safe against injection.
r: [but isn't the returned set nil? i guess you don't overwrite the
r: original if there's a problem, but i think you're in your rights to
r: do so]

R=r
CC=golang-dev
https://golang.org/cl/5020043

The Windows implementation of the net package churns through a couple of channels for every read/write operation.  This translates into a lot of time spent in the kernel creating and deleting event objects.

R=rsc, dvyukov, alex.brainman, jp
CC=golang-dev
https://golang.org/cl/4997044

Lets test pass when using gccgo.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5018046

R=adg, r, edsrzf, rsc, r
CC=golang-dev
https://golang.org/cl/4962052

R=nigeltao, r
CC=golang-dev
https://golang.org/cl/4969078

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5021042

It would be nice not to have to support this since all the clients
that we care about support TLSv1 by now. However, due to buggy
implementations of SSLv3 on the Internet which can't do version
negotiation correctly, browsers will sometimes switch to SSLv3. Since
there's no good way for a browser tell a network problem from a buggy
server, this downgrade can occur even if the server in question is
actually working correctly.

So we need to support SSLv3 for robustness :(

Fixes #1703.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5018045

R=nigeltao
CC=golang-dev
https://golang.org/cl/5012044

R=golang-dev, cw
CC=golang-dev
https://golang.org/cl/5004045

R=r, rsc
CC=golang-dev
https://golang.org/cl/5009045

The spec says that all methods are inherited from an anonymous
field.  There is no exception for non-exported methods.

This is related to issue 1536.

R=rsc
CC=golang-dev
https://golang.org/cl/5012043

for handling errors

Fixes #2249.

R=rsc
CC=golang-dev
https://golang.org/cl/4952071

R=gri
CC=golang-dev
https://golang.org/cl/4978065

R=ukai
CC=golang-dev
https://golang.org/cl/4999043

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/4995045

R=golang-dev
CC=golang-dev
https://golang.org/cl/5020045

TBR=rsc
CC=golang-dev
https://golang.org/cl/5016044

taking (w, h int).

R=rsc, bsiegert, r
CC=golang-dev
https://golang.org/cl/4964073

Fixes #2181.

R=golang-dev, jp
CC=golang-dev
https://golang.org/cl/5000042

The template package is the only one that has a doc.go not mentioned
in its Makefile.

This doesn't seem to bother godoc, but seems like a bug to me.

$ for d in $(find pkg -name doc.go); do echo $d; grep doc.go $(dirname $d)/Makefile; done
pkg/fmt/doc.go
        doc.go\
pkg/go/doc/doc.go
        doc.go\
pkg/gob/doc.go
        doc.go\
pkg/html/doc.go
        doc.go\
pkg/old/template/doc.go
        doc.go\
pkg/sync/atomic/doc.go
        doc.go\
pkg/template/doc.go

R=r
CC=golang-dev
https://golang.org/cl/5003047

This CL moves code but makes no changes otherwise.

R=nigeltao, r
CC=golang-dev
https://golang.org/cl/5012045

This one uses a closure than an interface, and is much simpler to use.
It also enables a called function to return an error and (possibly)
halt processing.

Fixes #2237.

R=golang-dev, gri, rsc, r, cw, n13m3y3r
CC=golang-dev
https://golang.org/cl/5014043

This adds support for {{template "callee"}} calls.
It recognizes that calls can appear in many contexts.

{{if .ImageURL}}
    <img src="{{.ImageURL}}" alt="{{template "description"}}">
{{else}}
    <p>{{template "description"}}</p>
{{end}}

calls a template in two different contexts, first in an HTML attribute
context, and second in an HTML text context.

Those two contexts aren't very different, but when linking text
to search terms, the escaping context can be materially different:

<a href="/search?q={{template "tags"}}">{{template "tags"}}</a>

This adds API:
EscapeSet(*template.Set, names ...string) os.Error

takes a set of templates and the names of those which might be called
in the default context as starting points.

It changes the escape* functions to be methods of an object which
maintains a conceptual mapping of
(template names*input context) -> output context.

The actual mapping uses as key a mangled name which combines the
template name with the input context.

The mangled name when the input context is the default context is the
same as the unmangled name.

When a template is called in multiple contexts, we clone the template.

{{define "tagLink"}}
  <a href="/search?q={{template "tags"}}">{{template "tags"}}</a>
{{end}}
{{define "tags"}}
  {{range .Tags}}{{.}},{{end}}
{{end}}

given []string{ "foo", "O'Reilly", "bar" } produces

  <a href="/search?q=foo,O%27Reilly,bar">foo,O&#39;Reilly,bar</a>

This involves rewriting the above to something like

{{define "tagLink"}}
  <a href="/search?q={{template "tags$1"}}">{{template "tags"}}</a>
{{end}}
{{define "tags"}}
  {{range .Tags}}{{. | html}},{{end}}
{{end}}
{{define "tags$1"}}
  {{range .Tags}}{{. | urlquery}},{{end}}
{{end}}

clone.go provides a mechanism for cloning template "tags" to produce
"tags$1".

changes to escape.go implement the new API and context propagation
around the call graph.

context.go includes minor changes to support name mangling and
context_test.go tests those.

js.go contains a bug-fix.

R=nigeltao, r
CC=golang-dev
https://golang.org/cl/4969072

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5002043

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5013042

R=r
CC=golang-dev
https://golang.org/cl/4973064

This CL only supports Unix, not Plan 9 or Windows.

R=rsc
CC=golang-dev
https://golang.org/cl/4996048

R=bradfitz
CC=golang-dev
https://golang.org/cl/4967067

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/4983060

Often, division/regexp ambiguity doesn't matter in JS because the next
token is not a slash.

For example, in

  <script>var global{{if .InitVal}} = {{.InitVal}}{{end}}</script>

When there is an initial value, the {{if}} ends with jsCtxDivOp
since a '/' following {{.InitVal}} would be a division operator.
When there is none, the empty {{else}} branch ends with jsCtxRegexp
since a '/' would start a regular expression.  A '/' could result
in a valid program if it were on a new line to allow semicolon
insertion to terminate the VarDeclaration.

There is no '/' though, so we can ignore the ambiguity.

There are cases where a missing semi can result in ambiguity that
we should report.

  <script>
  {{if .X}}var x = {{.X}}{{end}}
  /...{{.Y}}
  </script>

where ... could be /foo/.test(bar) or /divisor.  Disambiguating in
this case is hard and is required to sanitize {{.Y}}.

Note, that in the case where there is a '/' in the script tail but it
is not followed by any interpolation, we already don't care.  So we
are already tolerant of

<script>{{if .X}}var x = {{.X}}{{end}}/a-bunch-of-text</script>

because tJS checks for </script> before looking in /a-bunch-of-text.

This CL
- Adds a jsCtx value: jsCtxUnknown
- Changes joinContext to join contexts that only differ by jsCtx.
- Changes tJS to return an error when a '/' is seen in jsCtxUnknown.
- Adds tests for both the happy and sad cases.

R=nigeltao
CC=golang-dev
https://golang.org/cl/4956077

Similar tests for CSS already catch this problem in tCSS.

R=nigeltao
CC=golang-dev
https://golang.org/cl/4967065

Fixes #2253.

R=agl
CC=golang-dev
https://golang.org/cl/4960066

Fixes #2248.

R=ken2
CC=golang-dev
https://golang.org/cl/4978064