• Samuel Tan's avatar
    html/template: panic if predefined escapers are found in pipelines during rewriting · 9ffd9339
    Samuel Tan authored
    Report an error if a predefined escaper (i.e. "html", "urlquery", or "js")
    is found in a pipeline that will be rewritten by the contextual auto-escaper,
    instead of trying to merge the escaper-inserted escaping directives
    with these predefined escapers. This merging behavior is a source
    of several security and correctness bugs (eee #19336, #19345, #19352,
    and #19353.)
    
    This merging logic was originally intended to ease migration of text/template
    templates with user-defined escapers to html/template. Now that
    migration is no longer an issue, this logic can be safely removed.
    
    NOTE: this is a backward-incompatible change that fixes known security
    bugs (see linked issues for more details). It will explicitly break users
    that attempt to execute templates with pipelines containing predefined
    escapers.
    
    Fixes #19336, #19345, #19352, #19353
    
    Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49
    Reviewed-on: https://go-review.googlesource.com/37880
    Run-TryBot: Russ Cox <rsc@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
    9ffd9339
escape_test.go 43.5 KB