delta/go-git.git/src/html/template, branch dev.debug github.com: golang/go html/template: use the same escaper across multiple template executions 2017-07-14T18:19:04+00:00 Samuel Tan samueltan@google.com 2017-07-05T23:28:41+00:00 a005a8d1b4ab37c1f5fd200fc57d2a67ce87c8ac The escaper contains information about which templates have already been visited and escaped. This information is necessary to prevent templates that have already been escaped from being over-escaped. However, since we currently create a new escaper each time we execute a template, this information does not persist across multiple template executions. Fix this by saving an escaper in each template name space which is shared by all templates in that name space. While there, fix error message formatting for an escaping unit test. Fixes #20842 Change-Id: Ie392c3e7ce0e0a9947bdf56c99e926e7c7db76e4 Reviewed-on: https://go-review.googlesource.com/47256 Reviewed-by: Mike Samuel <mikesamuel@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
The escaper contains information about which templates have already been
visited and escaped. This information is necessary to prevent templates
that have already been escaped from being over-escaped. However, since we
currently create a new escaper each time we execute a template, this
information does not persist across multiple template executions.

Fix this by saving an escaper in each template name space which is shared by
all templates in that name space.

While there, fix error message formatting for an escaping unit test.

Fixes #20842

Change-Id: Ie392c3e7ce0e0a9947bdf56c99e926e7c7db76e4
Reviewed-on: https://go-review.googlesource.com/47256
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
html/template: only search identifier nodes for predefined escapers 2017-06-14T16:52:22+00:00 Samuel Tan samueltan@google.com 2017-05-11T23:56:14+00:00 882a640421c5ac480d40ae02736c95046fec11aa Predefined escapers (i.e. "html" and "urlquery") should only occur in Identifier nodes, and never in Field or Chain nodes, since these are global functions that return string values (see inline comments for more details). Therefore, skip Chain and Field nodes when searching for predefined escapers in template pipelines. Also, make a non-functional change two existing test cases to avoid giving the impression that it is valid to reference a field of a predefined escaper. Fixes #20323 Change-Id: I34f722f443c778699fcdd575dc3e0fd1fd6f2eb3 Reviewed-on: https://go-review.googlesource.com/43296 Reviewed-by: Samuel Tan <samueltan@google.com> Reviewed-by: Mike Samuel <mikesamuel@gmail.com> Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Predefined escapers (i.e. "html" and "urlquery") should only occur in
Identifier nodes, and never in Field or Chain nodes, since these are
global functions that return string values (see inline comments for more
details). Therefore, skip Chain and Field nodes when searching for
predefined escapers in template pipelines.

Also, make a non-functional change two existing test cases to avoid
giving the impression that it is valid to reference a field of a
predefined escaper.

Fixes #20323

Change-Id: I34f722f443c778699fcdd575dc3e0fd1fd6f2eb3
Reviewed-on: https://go-review.googlesource.com/43296
Reviewed-by: Samuel Tan <samueltan@google.com>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
html/template: allow safe usage of predefined escapers in pipelines 2017-05-05T18:56:31+00:00 Samuel Tan samueltan@google.com 2017-04-17T23:10:54+00:00 3a2fee0389e8459e482e987a98f226a71c2ad5fb Allow the predefined escapers "html", "urlquery", and "js" to be used in pipelines when they have no potential to affect the correctness or safety of the escaped pipeline output. Specifically: - "urlquery" may be used if it is the last command in the pipeline. - "html" may be used if it is the last command in the pipeline, and the pipeline does not occur in an unquoted HTML attribute value context. - "js" may be used in any pipeline, since it does not affect the merging of contextual escapers. This change will loosens the restrictions on predefined escapers introduced in golang.org/cl/37880, which will hopefully ease the upgrade path for existing template users. This change brings back the escaper-merging logic, and associated unit tests, that were removed in golang.org/cl/37880. However, a few notable changes have been made: - "_html_template_nospaceescaper" is no longer considered equivalent to "html", since the former escapes spaces, while the latter does not (see #19345). This change should not silently break any templates, since pipelines where this substituion will happen will already trigger an explicit error. - An "_eval_args_" internal directive has been added to handle pipelines containing a single explicit call to a predefined escaper, e.g. {{html .X}} (see #19353). Also, the HTMLEscape function called by the predefined text/template "html" function now escapes the NULL character as well. This effectively makes it as secure as the internal html/template HTML escapers (see #19345). While this change is backward-incompatible, it will only affect illegitimate uses of this escaper, since the NULL character is always illegal in valid HTML. Fixes #19952 Change-Id: I9b5570a80a3ea284b53901e6a1f842fc59b33d3a Reviewed-on: https://go-review.googlesource.com/40936 Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Allow the predefined escapers "html", "urlquery", and "js" to be used
in pipelines when they have no potential to affect the correctness or
safety of the escaped pipeline output. Specifically:
- "urlquery" may be used if it is the last command in the pipeline.
- "html" may be used if it is the last command in the pipeline, and
  the pipeline does not occur in an unquoted HTML attribute value
  context.
- "js" may be used in any pipeline, since it does not affect the
  merging of contextual escapers.

This change will loosens the restrictions on predefined escapers
introduced in golang.org/cl/37880, which will hopefully ease the
upgrade path for existing template users.

This change brings back the escaper-merging logic, and associated
unit tests, that were removed in golang.org/cl/37880. However, a
few notable changes have been made:
- "_html_template_nospaceescaper" is no longer considered
  equivalent to "html", since the former escapes spaces, while
  the latter does not (see #19345). This change should not silently
  break any templates, since pipelines where this substituion will
  happen will already trigger an explicit error.
- An "_eval_args_" internal directive has been added to
  handle pipelines containing a single explicit call to a
  predefined escaper, e.g. {{html .X}} (see #19353).

Also, the HTMLEscape function called by the predefined
text/template "html" function now escapes the NULL character as
well. This effectively makes it as secure as the internal
html/template HTML escapers (see #19345). While this change is
backward-incompatible, it will only affect illegitimate uses
of this escaper, since the NULL character is always illegal in
valid HTML.

Fixes #19952

Change-Id: I9b5570a80a3ea284b53901e6a1f842fc59b33d3a
Reviewed-on: https://go-review.googlesource.com/40936
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
template: warn about interleaved nature of writes 2017-05-05T17:58:56+00:00 Dieter Plaetinck dieter@raintank.io 2017-02-10T10:54:58+00:00 1acff5fe61013d4f5b1ed6602654abbbe73b1599 Execute incurs separate writes for each "step", e.g. each variable that needs to be printed, and the final newline. While it is correct to state that templates can be executed concurrently, there is a more subtle nuance that is easily missed: when writing to the same writer, the writes from concurrent execute calls can be interleaved, leading to unexpected output. Change-Id: I0abbd7960d8a8d15e109a8a3eeff3b43b852bbbf Reviewed-on: https://go-review.googlesource.com/37444 Reviewed-by: Rob Pike <r@golang.org> 
Execute incurs separate writes for each "step", e.g. each
variable that needs to be printed, and the final newline.
While it is correct to state that templates can be executed
concurrently, there is a more subtle nuance that is easily missed:
when writing to the same writer, the writes from concurrent execute
calls can be interleaved, leading to unexpected output.

Change-Id: I0abbd7960d8a8d15e109a8a3eeff3b43b852bbbf
Reviewed-on: https://go-review.googlesource.com/37444
Reviewed-by: Rob Pike <r@golang.org>
html/template: use bytes.ContainsAny 2017-04-25T23:36:25+00:00 Daniel Martí mvdan@mvdan.cc 2017-04-25T11:57:33+00:00 6049b1741d47b94a9c80dab7fc165d1eea5429bd It was added in Go 1.7. Also gofmt while at it. Change-Id: Idb65fb44e2f2a4365dceea3f833aeb51a8d12333 Reviewed-on: https://go-review.googlesource.com/41692 Run-TryBot: Daniel Martí <mvdan@mvdan.cc> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
It was added in Go 1.7. Also gofmt while at it.

Change-Id: Idb65fb44e2f2a4365dceea3f833aeb51a8d12333
Reviewed-on: https://go-review.googlesource.com/41692
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
html/template: ignore case when handling type attribute in script element 2017-04-20T18:53:09+00:00 Samuel Tan samueltan@google.com 2017-04-13T17:57:04+00:00 f3f3f0d6d509bfaf30b55c0679cff366b50b7eae Convert the parsed attribute name to lowercase before checking its value in the HTML parser state machine. This ensures that the type attribute in the script element is handled in a case-sensitive manner, just like all other attribute names. Fixes #19965 Change-Id: I806d8c62aada2c3b5b4328aff75f217ea60cb339 Reviewed-on: https://go-review.googlesource.com/40650 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> 
Convert the parsed attribute name to lowercase before checking its value in
the HTML parser state machine. This ensures that the type attribute in
the script element is handled in a case-sensitive manner, just like all
other attribute names.

Fixes #19965

Change-Id: I806d8c62aada2c3b5b4328aff75f217ea60cb339
Reviewed-on: https://go-review.googlesource.com/40650
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
html/template: ensure that MIME type handling is case insensitive 2017-04-20T18:11:25+00:00 Samuel Tan samueltan@google.com 2017-04-14T16:50:00+00:00 4646a330905d8195e2664e6142832ad118f7bb03 Handle MIME types found in the type attribute of the script element in a case insensitive way, as per Section 5.1 of RFC 2045. Fixes #19968 Change-Id: Ie1416178c937dcf2c96bcec4191cebe7c3477af8 Reviewed-on: https://go-review.googlesource.com/40702 Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Handle MIME types found in the type attribute of the script element
in a case insensitive way, as per Section 5.1 of RFC 2045.

Fixes #19968

Change-Id: Ie1416178c937dcf2c96bcec4191cebe7c3477af8
Reviewed-on: https://go-review.googlesource.com/40702
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
html/template: panic if predefined escapers are found in pipelines during rewriting 2017-04-10T15:08:47+00:00 Samuel Tan samueltan@google.com 2017-04-05T01:26:21+00:00 9ffd9339da503b50571ec6806e5d6d2cf5d5912a Report an error if a predefined escaper (i.e. "html", "urlquery", or "js") is found in a pipeline that will be rewritten by the contextual auto-escaper, instead of trying to merge the escaper-inserted escaping directives with these predefined escapers. This merging behavior is a source of several security and correctness bugs (eee #19336, #19345, #19352, and #19353.) This merging logic was originally intended to ease migration of text/template templates with user-defined escapers to html/template. Now that migration is no longer an issue, this logic can be safely removed. NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers. Fixes #19336, #19345, #19352, #19353 Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49 Reviewed-on: https://go-review.googlesource.com/37880 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> 
Report an error if a predefined escaper (i.e. "html", "urlquery", or "js")
is found in a pipeline that will be rewritten by the contextual auto-escaper,
instead of trying to merge the escaper-inserted escaping directives
with these predefined escapers. This merging behavior is a source
of several security and correctness bugs (eee #19336, #19345, #19352,
and #19353.)

This merging logic was originally intended to ease migration of text/template
templates with user-defined escapers to html/template. Now that
migration is no longer an issue, this logic can be safely removed.

NOTE: this is a backward-incompatible change that fixes known security
bugs (see linked issues for more details). It will explicitly break users
that attempt to execute templates with pipelines containing predefined
escapers.

Fixes #19336, #19345, #19352, #19353

Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49
Reviewed-on: https://go-review.googlesource.com/37880
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
text/template,html/template: state that Funcs must happen before parsing 2017-03-21T04:07:35+00:00 Rob Pike r@golang.org 2017-03-21T03:18:02+00:00 5c5a10690e56bf127832b98d73c83720e0093eef Any method that affects the parse must happen before parsing. This obvious point is clear, but it's not clear to some that the set of defined functions affect the parse. Fixes #18971 Change-Id: I8b7f8c8cf85b028c18e5ca3b9797de92ea910669 Reviewed-on: https://go-review.googlesource.com/38413 Reviewed-by: Ian Lance Taylor <iant@golang.org> 
Any method that affects the parse must happen before parsing.
This obvious point is clear, but it's not clear to some that the
set of defined functions affect the parse.

Fixes #18971

Change-Id: I8b7f8c8cf85b028c18e5ca3b9797de92ea910669
Reviewed-on: https://go-review.googlesource.com/38413
Reviewed-by: Ian Lance Taylor <iant@golang.org>
encoding/base64, html/template: fix grammar mistakes 2017-03-07T17:42:45+00:00 Kevin Burke kev@inburke.com 2017-03-07T17:03:40+00:00 c5cdda401e483a3a4dae7cc61eb78521ab953b04 Replace 'does not contains' with 'does not contain' where it appears in the source code. Change-Id: Ie7266347c429512c8a41a7e19142afca7ead3922 Reviewed-on: https://go-review.googlesource.com/37887 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> 
Replace 'does not contains' with 'does not contain' where it appears
in the source code.

Change-Id: Ie7266347c429512c8a41a7e19142afca7ead3922
Reviewed-on: https://go-review.googlesource.com/37887
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>