• Mike Samuel's avatar
    exp/template/html: handle custom attrs and HTML5 embedded elements. · f17e3d22
    Mike Samuel authored
    HTML5 allows embedded SVG and MathML.
    Code searches show SVG is used for graphing.
    
    This changes transition to deal with constructs like
       <svg xmlns:xlink="http://www.w3.org/1999/xlink">
    It changes attr and clients to call a single function that combines
    the name lookup and "on" prefix check to determine an attribute
    value type given an attribute name.
    
    That function uses heuristics to recognize that
         xlink:href and svg:href
    have URL content, and that data-url is likely contains URL content,
    since "javascript:" injection is such a problem.
    
    I did a code search over a closure templates codebase to determine
    patterns of custom attribute usage.  I did something like
    
    $ find . -name \*.soy | \
        xargs egrep perl -ne 'while (s/\b((data-|\w+:)\w+)\s*=//) { print "$1\n"; }' | \
        sort | uniq
    
    to produce the list at the bottom.
    
    Filtering that by egrep -i 'src|url|uri' produces
    
    data-docConsumptionUri
    data-docIconUrl
    data-launchUrl
    data-lazySrc
    data-pageUrl
    data-shareurl
    data-suggestServerUrl
    data-tweetUrl
    g:secondaryurls
    g:url
    
    which seem to match all the ones that are likely URL content.
    There are some short words that match that heuristic, but I still think it decent since
    any custom attribute that has a numeric or enumerated keyword value will be unaffected by
    the URL assumption.
    Counterexamples from /usr/share/dict:
    during, hourly, maturity, nourish, purloin, security, surly
    
    Custom attributes present in existing closure templates codebase:
    buzz:aid
    data-a
    data-action
    data-actor
    data-allowEqualityOps
    data-analyticsId
    data-bid
    data-c
    data-cartId
    data-categoryId
    data-cid
    data-command
    data-count
    data-country
    data-creativeId
    data-cssToken
    data-dest
    data-docAttribution
    data-docConsumptionUri
    data-docCurrencyCode
    data-docIconUrl
    data-docId
    data-docPrice
    data-docPriceMicros
    data-docTitle
    data-docType
    data-docid
    data-email
    data-entityid
    data-errorindex
    data-f
    data-feature
    data-fgid
    data-filter
    data-fireEvent
    data-followable
    data-followed
    data-hashChange
    data-height
    data-hover
    data-href
    data-id
    data-index
    data-invitable
    data-isFree
    data-isPurchased
    data-jid
    data-jumpid
    data-launchUrl
    data-lazySrc
    data-listType
    data-maxVisiblePages
    data-name
    data-nid
    data-nodeid
    data-numItems
    data-numPerPage
    data-offerType
    data-oid
    data-opUsesEquality
    data-overflowclass
    data-packageName
    data-pageId
    data-pageUrl
    data-pos
    data-priceBrief
    data-profileIds
    data-query
    data-rating
    data-ref
    data-rentalGrantPeriodDays
    data-rentalactivePeriodHours
    data-reviewId
    data-role
    data-score
    data-shareurl
    data-showGeLe
    data-showLineInclude
    data-size
    data-sortval
    data-suggestServerType
    data-suggestServerUrl
    data-suggestionIndex
    data-tabBarId
    data-tabBarIndex
    data-tags
    data-target
    data-textColor
    data-theme
    data-title
    data-toggletarget
    data-tooltip
    data-trailerId
    data-transactionId
    data-transition
    data-ts
    data-tweetContent
    data-tweetUrl
    data-type
    data-useAjax
    data-value
    data-width
    data-x
    dm:index
    dm:type
    g:aspects
    g:decorateusingsecondary
    g:em
    g:entity
    g:groups
    g:id
    g:istoplevel
    g:li
    g:numresults
    g:oid
    g:parentId
    g:pl
    g:pt
    g:rating_override
    g:secondaryurls
    g:sortby
    g:startindex
    g:target
    g:type
    g:url
    g:value
    ga:barsize
    ga:css
    ga:expandAfterCharsExceed
    ga:initialNumRows
    ga:nocancelicon
    ga:numRowsToExpandTo
    ga:type
    ga:unlockwhenrated
    gw:address
    gw:businessname
    gw:comment
    gw:phone
    gw:source
    ng:controller
    xlink:href
    xml:lang
    xmlns:atom
    xmlns:dc
    xmlns:jstd
    xmlns:ng
    xmlns:og
    xmlns:webstore
    xmlns:xlink
    
    R=nigeltao
    CC=golang-dev
    https://golang.org/cl/5119041
    f17e3d22
transition.go 14.2 KB