Skip to content

G
golang
Switch branch/tag
  1. 29 Sep, 2011 3 commits
  3. 28 Sep, 2011 10 commits
    • Mike Samuel's avatar
      exp/template/html: handle custom attrs and HTML5 embedded elements. · f17e3d22
      Mike Samuel authored 
      HTML5 allows embedded SVG and MathML.
Code searches show SVG is used for graphing.

This changes transition to deal with constructs like
   <svg xmlns:xlink="http://www.w3.org/1999/xlink">
It changes attr and clients to call a single function that combines
the name lookup and "on" prefix check to determine an attribute
value type given an attribute name.

That function uses heuristics to recognize that
     xlink:href and svg:href
have URL content, and that data-url is likely contains URL content,
since "javascript:" injection is such a problem.

I did a code search over a closure templates codebase to determine
patterns of custom attribute usage.  I did something like

$ find . -name \*.soy | \
    xargs egrep perl -ne 'while (s/\b((data-|\w+:)\w+)\s*=//) { print "$1\n"; }' | \
    sort | uniq

to produce the list at the bottom.

Filtering that by egrep -i 'src|url|uri' produces

data-docConsumptionUri
data-docIconUrl
data-launchUrl
data-lazySrc
data-pageUrl
data-shareurl
data-suggestServerUrl
data-tweetUrl
g:secondaryurls
g:url

which seem to match all the ones that are likely URL content.
There are some short words that match that heuristic, but I still think it decent since
any custom attribute that has a numeric or enumerated keyword value will be unaffected by
the URL assumption.
Counterexamples from /usr/share/dict:
during, hourly, maturity, nourish, purloin, security, surly

Custom attributes present in existing closure templates codebase:
buzz:aid
data-a
data-action
data-actor
data-allowEqualityOps
data-analyticsId
data-bid
data-c
data-cartId
data-categoryId
data-cid
data-command
data-count
data-country
data-creativeId
data-cssToken
data-dest
data-docAttribution
data-docConsumptionUri
data-docCurrencyCode
data-docIconUrl
data-docId
data-docPrice
data-docPriceMicros
data-docTitle
data-docType
data-docid
data-email
data-entityid
data-errorindex
data-f
data-feature
data-fgid
data-filter
data-fireEvent
data-followable
data-followed
data-hashChange
data-height
data-hover
data-href
data-id
data-index
data-invitable
data-isFree
data-isPurchased
data-jid
data-jumpid
data-launchUrl
data-lazySrc
data-listType
data-maxVisiblePages
data-name
data-nid
data-nodeid
data-numItems
data-numPerPage
data-offerType
data-oid
data-opUsesEquality
data-overflowclass
data-packageName
data-pageId
data-pageUrl
data-pos
data-priceBrief
data-profileIds
data-query
data-rating
data-ref
data-rentalGrantPeriodDays
data-rentalactivePeriodHours
data-reviewId
data-role
data-score
data-shareurl
data-showGeLe
data-showLineInclude
data-size
data-sortval
data-suggestServerType
data-suggestServerUrl
data-suggestionIndex
data-tabBarId
data-tabBarIndex
data-tags
data-target
data-textColor
data-theme
data-title
data-toggletarget
data-tooltip
data-trailerId
data-transactionId
data-transition
data-ts
data-tweetContent
data-tweetUrl
data-type
data-useAjax
data-value
data-width
data-x
dm:index
dm:type
g:aspects
g:decorateusingsecondary
g:em
g:entity
g:groups
g:id
g:istoplevel
g:li
g:numresults
g:oid
g:parentId
g:pl
g:pt
g:rating_override
g:secondaryurls
g:sortby
g:startindex
g:target
g:type
g:url
g:value
ga:barsize
ga:css
ga:expandAfterCharsExceed
ga:initialNumRows
ga:nocancelicon
ga:numRowsToExpandTo
ga:type
ga:unlockwhenrated
gw:address
gw:businessname
gw:comment
gw:phone
gw:source
ng:controller
xlink:href
xml:lang
xmlns:atom
xmlns:dc
xmlns:jstd
xmlns:ng
xmlns:og
xmlns:webstore
xmlns:xlink

R=nigeltao
CC=golang-dev
https://golang.org/cl/5119041
      f17e3d22
    • Mike Samuel's avatar
      exp/template/html: don't normalize '<' in doctypes. · 582bb304
      Mike Samuel authored 
      The normalization that prevents element name and comment injection in
  <{{.}}
by converting it to
  &lt;{{.}}
breaks
  <!DOCTYPE html>

Instead of splitting states to have a start of document state and a text
state, I whitelist <!DOCTYPE.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5131051
      582bb304
    • Russ Cox's avatar
      go: documentation for new command · 9aae6482
      Russ Cox authored 
      *** This is a design review, not a code review. ***
Feel free to reply to the mail instead of picking out
individual lines to comment on in Rietveld.

This command, go, will replace both gomake/make and goinstall.
Make will stick around only for building our C commands
and perhaps package runtime.

In normal use while developing you'd run commands like

        go compile
        go test
        go clean
        go install

which apply to the package in the current directory.

To operate on code written by others, you add an explicit
package path:

        go get gopath.googlecode.com/hg/oauth
        go test gopath.googlecode.com/hg/oauth

The script.txt file is a script showing the output of
the various help commands that the command has.
(Right now, all the command can do is print help messages.)

R=golang-dev, bradfitz, kevlar, r, edsrzf, gri, adg, rogpeppe, r
CC=golang-dev
https://golang.org/cl/5019045
      9aae6482
    • Brad Fitzpatrick's avatar
      strings: add Replacer, NewReplacer · 7b0f3caa
      Brad Fitzpatrick authored 
      This is just a new API to do many replacements at once.

While the point of this API is to be faster than doing replacements one
at a time, the implementation in this CL has the optimizations removed
and may actually be slower.

Future CLs will bring back & add optimizations.

R=r, rsc, rogpeppe
CC=golang-dev
https://golang.org/cl/5081042
      7b0f3caa
    • Brad Fitzpatrick's avatar
      http: don't send a 400 Bad Request after a client shutdown · 58a5f1e8
      Brad Fitzpatrick authored 
      Fixes #2312

R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/5143049
      58a5f1e8
    • Russ Cox's avatar
      json: use strings.EqualFold instead of strings.ToLower. · 32d1e460
      Russ Cox authored 
      R=golang-dev, bradfitz, iant
CC=golang-dev
https://golang.org/cl/5127043
      32d1e460
    • Russ Cox's avatar
      regexp: speedups · 8f699a3f
      Russ Cox authored 
      MatchEasy0_1K        500000        4207 ns/op   243.35 MB/s
MatchEasy0_1K_Old    500000        4625 ns/op   221.40 MB/s
MatchEasy0_1M           500     3948932 ns/op   265.53 MB/s
MatchEasy0_1M_Old       500     3943926 ns/op   265.87 MB/s
MatchEasy0_32K        10000      122974 ns/op   266.46 MB/s
MatchEasy0_32K_Old    10000      123270 ns/op   265.82 MB/s
MatchEasy0_32M           10   127265400 ns/op   263.66 MB/s
MatchEasy0_32M_Old       10   127123500 ns/op   263.95 MB/s
MatchEasy1_1K        500000        5637 ns/op   181.63 MB/s
MatchEasy1_1K_Old     10000      100690 ns/op    10.17 MB/s
MatchEasy1_1M           200     7683150 ns/op   136.48 MB/s
MatchEasy1_1M_Old        10   145774000 ns/op     7.19 MB/s
MatchEasy1_32K        10000      239887 ns/op   136.60 MB/s
MatchEasy1_32K_Old      500     4508182 ns/op     7.27 MB/s
MatchEasy1_32M           10   247103500 ns/op   135.79 MB/s
MatchEasy1_32M_Old        1  4660191000 ns/op     7.20 MB/s
MatchMedium_1K        10000      160567 ns/op     6.38 MB/s
MatchMedium_1K_Old    10000      158367 ns/op     6.47 MB/s
MatchMedium_1M           10   162928000 ns/op     6.44 MB/s
MatchMedium_1M_Old       10   159699200 ns/op     6.57 MB/s
MatchMedium_32K         500     5090758 ns/op     6.44 MB/s
MatchMedium_32K_Old     500     5005800 ns/op     6.55 MB/s
MatchMedium_32M           1  5233973000 ns/op     6.41 MB/s
MatchMedium_32M_Old       1  5109676000 ns/op     6.57 MB/s
MatchHard_1K          10000      249087 ns/op     4.11 MB/s
MatchHard_1K_Old       5000      364569 ns/op     2.81 MB/s
MatchHard_1M              5   256050000 ns/op     4.10 MB/s
MatchHard_1M_Old          5   372446400 ns/op     2.82 MB/s
MatchHard_32K           200     7944525 ns/op     4.12 MB/s
MatchHard_32K_Old       100    11609380 ns/op     2.82 MB/s
MatchHard_32M             1  8144503000 ns/op     4.12 MB/s
MatchHard_32M_Old         1 11885434000 ns/op     2.82 MB/s

R=r, bradfitz
CC=golang-dev
https://golang.org/cl/5134049
      8f699a3f
    • Yasuhiro Matsumoto's avatar
      hgpatch: do not use hg exit status · 76ea456e
      Yasuhiro Matsumoto authored 
      Fixes #2243.

R=rsc
CC=golang-dev
https://golang.org/cl/5146041
      76ea456e
    • Brad Fitzpatrick's avatar
      net: add shutdown: TCPConn.CloseWrite and CloseRead · 394842e2
      Brad Fitzpatrick authored 
      R=golang-dev, rsc, iant
CC=golang-dev
https://golang.org/cl/5136052
      394842e2
    • Mike Samuel's avatar
      exp/template/html: do not escape the RHS of assignments · 260991ad
      Mike Samuel authored 
      In

  {{$x := . | foo}}
  {{$x}}

the first action is a variable assignment that contributes
nothing to the output while the first is a use that needs
to be escaped.

This CL fixes escapeAction to distinguish assignments from
interpolations and to only modify interpolations.

R=nigeltao, r
CC=golang-dev
https://golang.org/cl/5143048
      260991ad
  5. 27 Sep, 2011 8 commits
  7. 26 Sep, 2011 17 commits
  9. 25 Sep, 2011 2 commits