delta/go-git.git/src/html/template, branch dev.link github.com: golang/go encoding/json: add "json: " prefix to SyntaxError messages 2020-10-21T18:50:01+00:00 Kevin Burke kev@inburke.com 2020-10-19T20:29:40+00:00 6af088bfc66c13143c9ef46b4cf0805df77a8fbe The other named errors - UnmarshalTypeError, etc - in this package do the same, so we should prepend the package prefix to error messages for consistency. Add a note to the release docs in case this is interpreted as a breaking change. Fixes #36221. Change-Id: Ie24b532bbf9812e108c259fa377e2a6b64319ed4 Reviewed-on: https://go-review.googlesource.com/c/go/+/263619 Run-TryBot: Kevin Burke <kev@inburke.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Kevin Burke <kev@inburke.com> Trust: Daniel Martí <mvdan@mvdan.cc> Reviewed-by: Daniel Martí <mvdan@mvdan.cc> 
The other named errors - UnmarshalTypeError, etc - in this package do
the same, so we should prepend the package prefix to error messages
for consistency.

Add a note to the release docs in case this is interpreted as
a breaking change.

Fixes #36221.

Change-Id: Ie24b532bbf9812e108c259fa377e2a6b64319ed4
Reviewed-on: https://go-review.googlesource.com/c/go/+/263619
Run-TryBot: Kevin Burke <kev@inburke.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Kevin Burke <kev@inburke.com>
Trust: Daniel Martí <mvdan@mvdan.cc>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
all: update references to symbols moved from io/ioutil to io 2020-10-20T18:41:18+00:00 Russ Cox rsc@golang.org 2020-10-16T04:49:02+00:00 1b09d430678d4a6f73b2443463d11f75851aba8a The old ioutil references are still valid, but update our code to reflect best practices and get used to the new locations. Code compiled with the bootstrap toolchain (cmd/asm, cmd/dist, cmd/compile, debug/elf) must remain Go 1.4-compatible and is excluded. Also excluded vendored code. For #41190. Change-Id: I6d86f2bf7bc37a9d904b6cee3fe0c7af6d94d5b1 Reviewed-on: https://go-review.googlesource.com/c/go/+/263142 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> 
The old ioutil references are still valid, but update our code
to reflect best practices and get used to the new locations.

Code compiled with the bootstrap toolchain
(cmd/asm, cmd/dist, cmd/compile, debug/elf)
must remain Go 1.4-compatible and is excluded.
Also excluded vendored code.

For #41190.

Change-Id: I6d86f2bf7bc37a9d904b6cee3fe0c7af6d94d5b1
Reviewed-on: https://go-review.googlesource.com/c/go/+/263142
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
html/template, text/template: add ParseFS 2020-10-20T18:41:14+00:00 Russ Cox rsc@golang.org 2020-07-06T15:28:52+00:00 2a9aa4dcac0c33f7fffefb94a1bc92a17fd7cfd3 Now templates can be parsed not just from operating system files but from arbitrary file systems, including zip files. For #41190. Change-Id: I2172001388ddb1f13defa6c5e644e8ec8703ee80 Reviewed-on: https://go-review.googlesource.com/c/go/+/243938 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Rob Pike <r@golang.org> 
Now templates can be parsed not just from operating system files
but from arbitrary file systems, including zip files.

For #41190.

Change-Id: I2172001388ddb1f13defa6c5e644e8ec8703ee80
Reviewed-on: https://go-review.googlesource.com/c/go/+/243938
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
text/template: allow newlines inside action delimiters 2020-10-12T16:30:36+00:00 Russ Cox rsc@golang.org 2020-09-10T22:53:26+00:00 9384d34c58099657bb1b133beaf3ff37ada9b017 This allows multiline constructs like: {{"hello" | printf}} Now that unclosed actions can span multiple lines, track and report the start of the action when reporting errors. Also clean up a few "unexpected <error message>" to be just "<error message>". Fixes #29770. Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285 Reviewed-on: https://go-review.googlesource.com/c/go/+/254257 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Rob Pike <r@golang.org> 
This allows multiline constructs like:

	{{"hello" |
	  printf}}

Now that unclosed actions can span multiple lines,
track and report the start of the action when reporting errors.

Also clean up a few "unexpected <error message>" to be just "<error message>".

Fixes #29770.

Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285
Reviewed-on: https://go-review.googlesource.com/c/go/+/254257
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
text/template: add CommentNode to template parse tree 2020-08-28T21:45:12+00:00 Ariel Mashraki ariel@mashraki.co.il 2020-04-22T19:17:56+00:00 c8ea03828b0645b1fd5725888e44873b75fcfbb6 Fixes #34652 Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98 Reviewed-on: https://go-review.googlesource.com/c/go/+/229398 Reviewed-by: Daniel Martí <mvdan@mvdan.cc> Run-TryBot: Daniel Martí <mvdan@mvdan.cc> TryBot-Result: Gobot Gobot <gobot@golang.org> 
Fixes #34652

Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98
Reviewed-on: https://go-review.googlesource.com/c/go/+/229398
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
html/template: add tests from text/template 2020-07-14T16:54:25+00:00 Russ Cox rsc@golang.org 2020-07-06T16:27:01+00:00 efbe47b1625422f21bb2f130f916ce040756dbe3 Copy and adapt tests from text/template, to exercise more of html/template's copy. Various differences in behavior are flagged with NOTE comments or t.Skip and documented in #40075. Many of them are probably bugs. One clarifying test case added to both text/template and html/template. No changes to the package itself. Change-Id: Ifefad83d647db846040d24c2741a0244b00ade82 Reviewed-on: https://go-review.googlesource.com/c/go/+/241084 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Rob Pike <r@golang.org> 
Copy and adapt tests from text/template, to exercise more of html/template's copy.

Various differences in behavior are flagged with NOTE comments or t.Skip
and documented in #40075. Many of them are probably bugs.
One clarifying test case added to both text/template and html/template.

No changes to the package itself.

Change-Id: Ifefad83d647db846040d24c2741a0244b00ade82
Reviewed-on: https://go-review.googlesource.com/c/go/+/241084
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
all: avoid awkward wording from CL 236857 2020-06-08T21:36:04+00:00 Russ Cox rsc@golang.org 2020-06-08T16:39:56+00:00 2cd2ff6f564dce5be0c4fb7f06338ff7af3fc9a9 CL 236857 removed all uses of whitelist/blacklist, which is great. But it substituted awkward phrasing using allowlist/blocklist, especially as verbs or participles. This CL uses more standard English, like "allow the function" or "blocked functions" instead of "allowlist the function" or "blocklisted functions". Change-Id: I9106a2fdbd62751c4cbda3a77181358a8a6d0f13 Reviewed-on: https://go-review.googlesource.com/c/go/+/236917 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> 
CL 236857 removed all uses of whitelist/blacklist, which is great.
But it substituted awkward phrasing using allowlist/blocklist,
especially as verbs or participles. This CL uses more standard English,
like "allow the function" or "blocked functions" instead of
"allowlist the function" or "blocklisted functions".

Change-Id: I9106a2fdbd62751c4cbda3a77181358a8a6d0f13
Reviewed-on: https://go-review.googlesource.com/c/go/+/236917
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
all: replace usages of whitelist/blacklist and master/slave 2020-06-08T01:03:14+00:00 Filippo Valsorda filippo@golang.org 2020-06-07T00:59:12+00:00 608cdcaede1e7133dc994b5e8894272c2dce744b There's been plenty of discussion on the usage of these terms in tech. I'm not trying to have yet another debate. It's clear that there are people who are hurt by them and who are made to feel unwelcome by their use due not to technical reasons but to their historical and social context. That's simply enough reason to replace them. Anyway, allowlist and blocklist are more self-explanatory than whitelist and blacklist, so this change has negative cost. Didn't change vendored, bundled, and minified files. Nearly all changes are tests or comments, with a couple renames in cmd/link and cmd/oldlink which are extremely safe. This should be fine to land during the freeze without even asking for an exception. Change-Id: I8fc54a3c8f9cc1973b710bbb9558a9e45810b896 Reviewed-on: https://go-review.googlesource.com/c/go/+/236857 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Khosrow Moossavi <khos2ow@gmail.com> Reviewed-by: Leigh McCulloch <leighmcc@gmail.com> Reviewed-by: Urban Ishimwe <urbainishimwe@gmail.com> 
There's been plenty of discussion on the usage of these terms in tech.
I'm not trying to have yet another debate. It's clear that there are
people who are hurt by them and who are made to feel unwelcome by their
use due not to technical reasons but to their historical and social
context. That's simply enough reason to replace them.

Anyway, allowlist and blocklist are more self-explanatory than whitelist
and blacklist, so this change has negative cost.

Didn't change vendored, bundled, and minified files. Nearly all changes
are tests or comments, with a couple renames in cmd/link and cmd/oldlink
which are extremely safe. This should be fine to land during the freeze
without even asking for an exception.

Change-Id: I8fc54a3c8f9cc1973b710bbb9558a9e45810b896
Reviewed-on: https://go-review.googlesource.com/c/go/+/236857
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Khosrow Moossavi <khos2ow@gmail.com>
Reviewed-by: Leigh McCulloch <leighmcc@gmail.com>
Reviewed-by: Urban Ishimwe <urbainishimwe@gmail.com>
html/template,text/template: switch to Unicode escapes for JSON compatibility 2020-04-16T17:13:33+00:00 empijei robclap8@gmail.com 2020-03-27T18:27:55+00:00 d4d298040d072ddacea0e0d6b55fb148fff18070 The existing implementation is not compatible with JSON escape as it uses hex escaping. Unicode escape, instead, is valid for both JSON and JS. This fix avoids creating a separate escaping context for scripts of type "application/ld+json" and it is more future-proof in case more JSON+JS contexts get added to the platform (e.g. import maps). Fixes #33671 Fixes #37634 Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543 Reviewed-on: https://go-review.googlesource.com/c/go/+/226097 Reviewed-by: Carl Johnson <me@carlmjohnson.net> Reviewed-by: Daniel Martí <mvdan@mvdan.cc> Run-TryBot: Daniel Martí <mvdan@mvdan.cc> TryBot-Result: Gobot Gobot <gobot@golang.org> 
The existing implementation is not compatible with JSON
escape as it uses hex escaping.
Unicode escape, instead, is valid for both JSON and JS.
This fix avoids creating a separate escaping context for
scripts of type "application/ld+json" and it is more
future-proof in case more JSON+JS contexts get added
to the platform (e.g. import maps).

Fixes #33671
Fixes #37634

Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
Reviewed-by: Carl Johnson <me@carlmjohnson.net>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
TryBot-Result: Gobot Gobot <gobot@golang.org>
text/template: harden JSEscape to also escape ampersand and equal 2019-11-21T22:20:17+00:00 Roberto Clapis robclap8@gmail.com 2019-11-18T09:05:07+00:00 94e9a5e19b831504eca2b7202b78d1a48c4be547 Ampersand and equal are not dangerous in a JS/JSString context but they might cause issues if interpolated in HTML attributes. This change makes it harder to introduce XSS by misusing escaping. Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common misuse scenario. Fixes #35665 Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0 Reviewed-on: https://go-review.googlesource.com/c/go/+/207637 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Mike Samuel <mikesamuel@gmail.com> Reviewed-by: Andrew Bonventre <andybons@golang.org> Reviewed-by: Daniel Martí <mvdan@mvdan.cc> 
Ampersand and equal are not dangerous in a JS/JSString context
but they might cause issues if interpolated in HTML attributes.

This change makes it harder to introduce XSS by misusing
escaping.

Thanks to t1ddl3r <t1ddl3r@gmail.com> for reporting this common
misuse scenario.

Fixes #35665

Change-Id: Ice6416477bba4cb2ba2fe2cfdc20e027957255c0
Reviewed-on: https://go-review.googlesource.com/c/go/+/207637
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Mike Samuel <mikesamuel@gmail.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Daniel Martí <mvdan@mvdan.cc>