delta/go-git.git/src/html/template/js.go, branch dev.inline github.com: golang/go html/template: escape JS in application/json script tag 2016-12-04T02:33:58+00:00 Nodir Turakulov nodir@google.com 2016-12-03T19:37:05+00:00 37dbc7b49cbc9934c8dde54b65e5f417ce3faae9 Since ffd1c781b77aab542713b66ef387fa9307e4060b HTML templates check MIME type in the "type" attribute of "script" tag to decide if contents should be escaped as JavaScript. The whitelist of MIME types did not include application/json. Include it in this CL. Fixes #18159 Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a Reviewed-on: https://go-review.googlesource.com/33899 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Since ffd1c781b77aab542713b66ef387fa9307e4060b HTML templates check
MIME type in the "type" attribute of "script" tag to decide if contents
should be escaped as JavaScript. The whitelist of MIME types did not
include application/json. Include it in this CL.

Fixes #18159

Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a
Reviewed-on: https://go-review.googlesource.com/33899
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
all: spell "marshal" and "unmarshal" consistently 2016-11-12T00:13:35+00:00 Dmitri Shuralyov shurcooL@gmail.com 2016-11-09T22:49:12+00:00 d8264de8683dac99ffbbbc1f46415e627b73c9ed The tree is inconsistent about single l vs double l in those words in documentation, test messages, and one error value text. $ git grep -E '[Mm]arshall(|s|er|ers|ed|ing)' | wc -l 42 $ git grep -E '[Mm]arshal(|s|er|ers|ed|ing)' | wc -l 1694 Make it consistently a single l, per earlier decisions. This means contributors won't be confused by misleading precedence, and it helps consistency. Change the spelling in one error value text in newRawAttributes of crypto/x509 package to be consistent. This change was generated with: perl -i -npe 's,([Mm]arshal)l(|s|er|ers|ed|ing),$1$2,' $(git grep -l -E '[Mm]arshall' | grep -v AUTHORS | grep -v CONTRIBUTORS) Updates #12431. Follows https://golang.org/cl/14150. Change-Id: I85d28a2d7692862ccb02d6a09f5d18538b6049a2 Reviewed-on: https://go-review.googlesource.com/33017 Run-TryBot: Minux Ma <minux@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
The tree is inconsistent about single l vs double l in those
words in documentation, test messages, and one error value text.

	$ git grep -E '[Mm]arshall(|s|er|ers|ed|ing)' | wc -l
	      42
	$ git grep -E '[Mm]arshal(|s|er|ers|ed|ing)' | wc -l
	    1694

Make it consistently a single l, per earlier decisions. This means
contributors won't be confused by misleading precedence, and it helps
consistency.

Change the spelling in one error value text in newRawAttributes of
crypto/x509 package to be consistent.

This change was generated with:

	perl -i -npe 's,([Mm]arshal)l(|s|er|ers|ed|ing),$1$2,' $(git grep -l -E '[Mm]arshall' | grep -v AUTHORS | grep -v CONTRIBUTORS)

Updates #12431.
Follows https://golang.org/cl/14150.

Change-Id: I85d28a2d7692862ccb02d6a09f5d18538b6049a2
Reviewed-on: https://go-review.googlesource.com/33017
Run-TryBot: Minux Ma <minux@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
html/template: check "type" attribute in <script> 2016-09-29T20:12:31+00:00 Nodir Turakulov nodir@google.com 2015-09-05T13:38:13+00:00 ffd1c781b77aab542713b66ef387fa9307e4060b Currently any script tag is treated as a javascript container, although <script type="text/template"> must not be. Check "type" attribute of "script" tag. If it is present and it is not a JS MIME type, do not transition to elementScript state. Fixes #12149, where // inside text template was treated as regexp. Fixes #6701 Change-Id: I8fc9e504f7280bdd800f40383c061853665ac8a2 Reviewed-on: https://go-review.googlesource.com/14336 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> 
Currently any script tag is treated as a javascript container, although
<script type="text/template"> must not be. Check "type" attribute of
"script" tag. If it is present and it is not a JS MIME type, do not
transition to elementScript state.

Fixes #12149, where // inside text template was treated as regexp.
Fixes #6701

Change-Id: I8fc9e504f7280bdd800f40383c061853665ac8a2
Reviewed-on: https://go-review.googlesource.com/14336
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
html/template: fix string iteration in replacement operations 2015-05-19T22:45:50+00:00 Didier Spezia didier.06@gmail.com 2015-05-14T22:36:59+00:00 a1c1a763bc7c8d10ec30a7fa60ecf7d5f9a6f1c8 In css, js, and html, the replacement operations are implemented by iterating on strings (rune by rune). The for/range statement is used. The length of the rune is required and added to the index to properly slice the string. This is potentially wrong because there is a discrepancy between the result of utf8.RuneLen and the increment of the index (set by the for/range statement). For invalid strings, utf8.RuneLen('\ufffd') == 3, while the index is incremented only by 1 byte. htmlReplacer triggers a panic at slicing time for some invalid strings. Use a more robust iteration mechanism based on utf8.DecodeRuneInString, and make sure the same pattern is used for all similar functions in this package. Fixes #10799 Change-Id: Ibad3857b2819435d9fa564f06fc2ca8774102841 Reviewed-on: https://go-review.googlesource.com/10105 Reviewed-by: Rob Pike <r@golang.org> 
In css, js, and html, the replacement operations are implemented
by iterating on strings (rune by rune). The for/range
statement is used. The length of the rune is required
and added to the index to properly slice the string.

This is potentially wrong because there is a discrepancy between
the result of utf8.RuneLen and the increment of the index
(set by the for/range statement). For invalid strings,
utf8.RuneLen('\ufffd') == 3, while the index is incremented
only by 1 byte.

htmlReplacer triggers a panic at slicing time for some
invalid strings.

Use a more robust iteration mechanism based on
utf8.DecodeRuneInString, and make sure the same
pattern is used for all similar functions in this
package.

Fixes #10799

Change-Id: Ibad3857b2819435d9fa564f06fc2ca8774102841
Reviewed-on: https://go-review.googlesource.com/10105
Reviewed-by: Rob Pike <r@golang.org>
build: move package sources from src/pkg to src 2014-09-08T04:08:51+00:00 Russ Cox rsc@golang.org 2014-09-08T04:08:51+00:00 c007ce824d9a4fccb148f9204e04c23ed2984b71 Preparation was in CL 134570043. This CL contains only the effect of 'hg mv src/pkg/* src'. For more about the move, see golang.org/s/go14nopkg. 
Preparation was in CL 134570043.
This CL contains only the effect of 'hg mv src/pkg/* src'.
For more about the move, see golang.org/s/go14nopkg.