exp/template/html: error out on ambiguous unquoted attributes

HTML parsers may differ on whether <input id= onchange=f( ends in id's or onchange's value, <a class=`foo ends inside a value, <input style=font:'Arial' needs open-quote fixup. Per http://www.w3.org/TR/html5/tokenization.html#attribute-value-unquoted-state this treats the error cases in 8.2.4.40 Attribute value (unquoted) state as fatal errors. \> U+0022 QUOTATION MARK (") \> U+0027 APOSTROPHE (') \> U+003C LESS-THAN SIGN (<) \> U+003D EQUALS SIGN (=) \> U+0060 GRAVE ACCENT (`) Parse error. Treat it as per the "anything else" entry below. and emits ErrBadHTML. R=nigeltao CC=golang-dev https://golang.org/cl/5085050

exp/template/html: error out on ambiguous unquoted attributes
HTML parsers may differ on whether <input id= onchange=f( ends in id's or onchange's value, <a class=`foo ends inside a value, <input style=font:'Arial' needs open-quote fixup. Per http://www.w3.org/TR/html5/tokenization.html#attribute-value-unquoted-state this treats the error cases in 8.2.4.40 Attribute value (unquoted) state as fatal errors. \> U+0022 QUOTATION MARK (") \> U+0027 APOSTROPHE (') \> U+003C LESS-THAN SIGN (<) \> U+003D EQUALS SIGN (=) \> U+0060 GRAVE ACCENT (`) Parse error. Treat it as per the "anything else" entry below. and emits ErrBadHTML. R=nigeltao CC=golang-dev https://golang.org/cl/5085050
66cdd020 · Mike Samuel · b3d8e6d7 · 66cdd020 · 66cdd020
Commit 66cdd020 authored Sep 26, 2011 by Mike Samuel
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 0 deletions

escape.go src/pkg/exp/template/html/escape.go +18 -0

escape_test.go src/pkg/exp/template/html/escape_test.go +20 -0

No files found.
--- a/src/pkg/exp/template/html/escape.go
+++ b/src/pkg/exp/template/html/escape.go
@@ -626,6 +626,24 @@ func contextAfterText(c context, s []byte) (context, int) {

 	i := bytes.IndexAny(s, delimEnds[c.delim])
 	if i == -1 {
+		i = len(s)
+	}
+	if c.delim == delimSpaceOrTagEnd {
+		// http://www.w3.org/TR/html5/tokenization.html#attribute-value-unquoted-state
+		// lists the runes below as error characters.
+		// Error out because HTML parsers may differ on whether
+		// "<a id= onclick=f("     ends inside id's or onchange's value,
+		// "<a class=`foo "        ends inside a value,
+		// "<a style=font:'Arial'" needs open-quote fixup.
+		// IE treats '`' as a quotation character.
+		if j := bytes.IndexAny(s[:i], "\"'<=`"); j >= 0 {
+			return context{
+				state: stateError,
+				err:   errorf(ErrBadHTML, 0, "%q in unquoted attr: %q", s[j:j+1], s[:i]),
+			}, len(s)
+		}
+	}
+	if i == len(s) {
 		// Remain inside the attribute.
 		// Decode the value so non-HTML rules can easily handle
 		//     <button onclick="alert(&quot;Hi!&quot;)">

--- a/src/pkg/exp/template/html/escape_test.go
+++ b/src/pkg/exp/template/html/escape_test.go
@@ -884,6 +884,26 @@ func TestErrors(t *testing.T) {
 				`{{define "t"}}{{if .Tail}}{{template "t" .Tail}}{{end}}{{.Head}}",{{end}}`,
 			`: cannot compute output context for template t$htmltemplate_stateJS_elementScript`,
 		},
+		{
+			`<input type=button value=onclick=>`,
+			`exp/template/html:z: "=" in unquoted attr: "onclick="`,
+		},
+		{
+			`<input type=button value= onclick=>`,
+			`exp/template/html:z: "=" in unquoted attr: "onclick="`,
+		},
+		{
+			`<input type=button value= 1+1=2>`,
+			`exp/template/html:z: "=" in unquoted attr: "1+1=2"`,
+		},
+		{
+			"<a class=`foo>",
+			"exp/template/html:z: \"`\" in unquoted attr: \"`foo\"",
+		},
+		{
+			`<a style=font:'Arial'>`,
+			`exp/template/html:z: "'" in unquoted attr: "font:'Arial'"`,
+		},
 	}

 	for _, test := range tests {