• Mike Samuel's avatar
    exp/template/html: pre-sanitized content · ce008f8c
    Mike Samuel authored
    Not all content is plain text.  Sometimes content comes from a trusted
    source, such as another template invocation, an HTML tag whitelister,
    etc.
    
    Template authors can deal with over-escaping in two ways.
    
    1) They can encapsulate known-safe content via
       type HTML, type CSS, type URL, and friends in content.go.
    2) If they know that the for a particular action never needs escaping
       then they can add |noescape to the pipeline.
       {{.KnownSafeContent | noescape}}
       which will prevent any escaping directives from being added.
    
    This CL defines string type aliases: HTML, CSS, JS, URI, ...
    It then modifies stringify to unpack the content type.
    Finally it modifies the escaping functions to use the content type and
    decline to escape content that does not require it.
    
    There are minor changes to escapeAction and helpers to treat as
    equivalent explicit escaping directives such as "html" and "urlquery"
    and the escaping directives defined in the contextual autoescape module
    and to recognize the special "noescape" directive.
    
    The html escaping functions are rearranged.  Instead of having one
    escaping function used in each {{.}} in
    
        {{.}} : <textarea title="{{.}}">{{.}}</textarea>
    
    a slightly different escaping function is used for each.
    When {{.}} binds to a pre-sanitized string of HTML
    
        `one < <i>two</i> &amp; two < "3"`
    
    we produces something like
    
         one < <i>two</i> &amp; two < "3" :
         <textarea title="one &lt; two &amp; two &lt; &#34;3&#34;">
           one &lt; &lt;i&gt;two&lt;/i&gt; &amp; two &lt; "3"
         </textarea>
    
    Although escaping is not required in <textarea> normally, if the
    substring </textarea> is injected, then it breaks, so we normalize
    special characters in RCDATA and do the same to preserve attribute
    boundaries.  We also strip tags since developers never intend
    typed HTML injected in an attribute to contain tags escaped, but
    do occasionally confuse pre-escaped HTML with HTML from a
    tag-whitelister.
    
    R=golang-dev, nigeltao
    CC=golang-dev
    https://golang.org/cl/4962067
    ce008f8c
Name
Last commit
Last update
..
datafmt Loading commit data...
gui Loading commit data...
norm Loading commit data...
regexp Loading commit data...
template/html Loading commit data...
wingui Loading commit data...
README Loading commit data...