- 18 Sep, 2011 1 commit
-
-
Mike Samuel authored
HTML5 uses "Valid URL potentially surrounded by spaces" for attrs: http://www.w3.org/TR/html5/index.html#attributes-1 <a href=" {{.}}"> should be escaped to filter out "javascript:..." as data. R=nigeltao CC=golang-dev https://golang.org/cl/5027045
-
- 17 Sep, 2011 8 commits
-
-
Adam Langley authored
The typical UNIX method for controlling long running process is to send the process signals. Since this doesn't get you very far, various ad-hoc, remote-control protocols have been used over time by programs like Apache and BIND. Implementing an SSH server means that Go code will have a standard, secure way to do this in the future. R=bradfitz, borman, dave, gustavo, dsymonds, r, adg, rsc, rogpeppe, lvd, kevlar, raul.san CC=golang-dev https://golang.org/cl/4962064
-
Mike Rosset authored
Documentation more along the lines of os.FileInfo Fixes #2180. R=golang-dev, dsymonds CC=golang-dev, mike.rosset https://golang.org/cl/4958055
-
Hector Chu authored
gotest src/pkg/exp/template/html was crashing because the exception handler overflowed the goroutine stack. R=alex.brainman, golang-dev CC=golang-dev https://golang.org/cl/5031049
-
Hector Chu authored
R=alex.brainman CC=golang-dev https://golang.org/cl/5047045
-
Hector Chu authored
Credit to jp for proof of concept. R=alex.brainman, jp, rsc, dvyukov CC=golang-dev https://golang.org/cl/4960057
-
Michael Shields authored
filepath.Glob is documented to return nil if no files match and an error only if the pattern is invalid. This change fixes it to work as documented and adds a regression test. R=golang-dev, r CC=golang-dev https://golang.org/cl/5040045
-
Rob Pike authored
R=golang-dev, dsymonds CC=golang-dev, mshields https://golang.org/cl/5042045
-
Ian Lance Taylor authored
bug330.go:11:6: error: expected numeric type bug330.go:12:6: error: expected numeric type R=golang-dev, gri CC=golang-dev https://golang.org/cl/5031050
-
- 16 Sep, 2011 9 commits
-
-
Robert Griesemer authored
R=r CC=golang-dev https://golang.org/cl/5039045
-
Yasuhiro Matsumoto authored
clean up duplicate environment for CGI. overriding former by latter. On windows, When there are duplicated environments like following, SCRIPT_FILENAME=c:/progra~1/php/php-cgi.exe SCRIPT_FILENAME=/foo.php CreateProcess use first entry. If make cgi.Handle like following, cgih = cgi.Handler{ Path: "c:/strawberry/perl/bin/perl.exe", Dir: "c:/path/to/webroot", Root: "c:/path/to/webroot", Args: []string{"foo.php"}, Env: []string{"SCRIPT_FILENAME=foo.php"}, } http/cgi should behave "SCRIPT_FILENAME is foo.php". But currently, http/cgi is set duplicate environment entries. So, browser show binary dump of "php-cgi.exe" that is specified indented SCRIPT_FILENAME in first entry. This change clean up duplicates, and use latters. R=golang-dev, bradfitz, bradfitz CC=golang-dev https://golang.org/cl/5010044
-
Marcel van Lohuizen authored
is going to support returning multiple matches for a single repeated group. R=r, rsc, mpvl CC=golang-dev https://golang.org/cl/5014045
-
Marcel van Lohuizen authored
Trie now uses sparse block when this makes sense. R=r, r CC=golang-dev https://golang.org/cl/5010043
-
Mike Samuel authored
I found a simple test case that does require doing the fixed point TODO in computeOutCtx. I found a way though to do this and simplify away the escapeRange hackiness that was added in https://golang.org/cl/5012044/ R=nigeltao CC=golang-dev https://golang.org/cl/5015052
-
Andrew Gerrand authored
R=golang-dev, dsymonds CC=golang-dev https://golang.org/cl/5004052
-
Andrew Gerrand authored
R=golang-dev, dsymonds, r CC=golang-dev https://golang.org/cl/5040042
-
Alex Brainman authored
R=golang-dev, bsiegert, rsc, hectorchu CC=golang-dev https://golang.org/cl/5016043
-
Mike Samuel authored
This replaces the errStr & errLine members of context with a single err *Error, and introduces a number of const error codes, one per escape-time failure mode, that can be separately documented. The changes to the error documentation moved from doc.go to error.go are cosmetic. R=r, nigeltao CC=golang-dev https://golang.org/cl/5026041
-
- 15 Sep, 2011 20 commits
-
-
Robert Griesemer authored
On app-engine, we cannot import syscall. The respective constants are already defined elsewhere for the same reason. R=r, dsymonds CC=golang-dev https://golang.org/cl/5036042
-
Robert Griesemer authored
When saving/restoring the fulltext index, the entire respective suffixarray is now saved/restored (as opposed to the indexed data only, and the suffixarray recreated). This saves significant start-up time for large indexes, at the cost of significantly larger index files. R=r CC=golang-dev https://golang.org/cl/5037043
-
Robert Griesemer authored
R=r CC=golang-dev https://golang.org/cl/5040041
-
Brad Fitzpatrick authored
Fixes #2218 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/5037041
-
Brad Fitzpatrick authored
Comments from rsc after 4921049 was submitted. R=rsc CC=golang-dev https://golang.org/cl/5034042
-
Brad Fitzpatrick authored
Fixes #2208 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/5011051
-
Russ Cox authored
This makes it possible to use a FlagSet as a field in a larger struct. R=golang-dev, r CC=golang-dev https://golang.org/cl/5036041
-
Russ Cox authored
Fixes #1156. Fixes #2172. R=gri CC=golang-dev https://golang.org/cl/5015044
-
Russ Cox authored
The go/build package already recognizes system-specific file names like mycode_darwin.go mycode_darwin_386.go mycode_386.s However, it is also common to write files that apply to multiple architectures, so a recent CL added to go/build the ability to process comments listing a set of conditions for building. For example: // +build darwin freebsd openbsd/386 says that this file should be compiled only on OS X, FreeBSD, or 32-bit x86 OpenBSD systems. These conventions are not yet documented (hence this long CL description). This CL adds build comments to the multi-system files in the core library, a step toward making it possible to use go/build to build them. With this change go/build can handle crypto/rand, exec, net, path/filepath, os/user, and time. os and syscall need additional adjustments. R=golang-dev, r, gri, r, gustavo CC=golang-dev https://golang.org/cl/5011046
-
Russ Cox authored
New rules as discussed on CL 5011046. Also apply to C and assembly files, not just Go files. R=r, rogpeppe CC=golang-dev https://golang.org/cl/5015051
-
Brad Fitzpatrick authored
R=iant, iant CC=golang-dev https://golang.org/cl/5016051
-
Brad Fitzpatrick authored
Fixes #2258 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/5016048
-
Russ Cox authored
R=adg TBR=adg CC=golang-dev https://golang.org/cl/5024046
-
Russ Cox authored
R=adg CC=golang-dev https://golang.org/cl/5018044
-
Mike Samuel authored
Not all content is plain text. Sometimes content comes from a trusted source, such as another template invocation, an HTML tag whitelister, etc. Template authors can deal with over-escaping in two ways. 1) They can encapsulate known-safe content via type HTML, type CSS, type URL, and friends in content.go. 2) If they know that the for a particular action never needs escaping then they can add |noescape to the pipeline. {{.KnownSafeContent | noescape}} which will prevent any escaping directives from being added. This CL defines string type aliases: HTML, CSS, JS, URI, ... It then modifies stringify to unpack the content type. Finally it modifies the escaping functions to use the content type and decline to escape content that does not require it. There are minor changes to escapeAction and helpers to treat as equivalent explicit escaping directives such as "html" and "urlquery" and the escaping directives defined in the contextual autoescape module and to recognize the special "noescape" directive. The html escaping functions are rearranged. Instead of having one escaping function used in each {{.}} in {{.}} : <textarea title="{{.}}">{{.}}</textarea> a slightly different escaping function is used for each. When {{.}} binds to a pre-sanitized string of HTML `one < <i>two</i> & two < "3"` we produces something like one < <i>two</i> & two < "3" : <textarea title="one < two & two < "3""> one < <i>two</i> & two < "3" </textarea> Although escaping is not required in <textarea> normally, if the substring </textarea> is injected, then it breaks, so we normalize special characters in RCDATA and do the same to preserve attribute boundaries. We also strip tags since developers never intend typed HTML injected in an attribute to contain tags escaped, but do occasionally confuse pre-escaped HTML with HTML from a tag-whitelister. R=golang-dev, nigeltao CC=golang-dev https://golang.org/cl/4962067
-
Andrew Gerrand authored
R=r CC=golang-dev https://golang.org/cl/5002041
-
Robert Griesemer authored
- now fulltext index information is saved/restored - minor updates to appinit.go R=rsc CC=golang-dev https://golang.org/cl/5024043
-
Robert Griesemer authored
R=rsc CC=golang-dev https://golang.org/cl/5024042
-
Mike Samuel authored
This moots a caveat in the proposed package documentation by rendering useless any template that could not be escaped. From https://golang.org/cl/4969078/ > If EscapeSet returns an error, do not Execute the set; it is not > safe against injection. r: [but isn't the returned set nil? i guess you don't overwrite the r: original if there's a problem, but i think you're in your rights to r: do so] R=r CC=golang-dev https://golang.org/cl/5020043
-
Hector Chu authored
The Windows implementation of the net package churns through a couple of channels for every read/write operation. This translates into a lot of time spent in the kernel creating and deleting event objects. R=rsc, dvyukov, alex.brainman, jp CC=golang-dev https://golang.org/cl/4997044
-
- 14 Sep, 2011 2 commits
-
-
Ian Lance Taylor authored
Lets test pass when using gccgo. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/5018046
-
David Symonds authored
R=adg, r, edsrzf, rsc, r CC=golang-dev https://golang.org/cl/4962052
-