### Go 1.26
+Go 1.26.1 added a new `htmlmetacontenturlescape` setting that controls whether
+html/template will escape URLs in the `url=` portion of the content attribute of
+HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be
+escaped. Setting `htmlmetacontentescape=0` disables this behavior.
+
Go 1.26 added a new `httpcookiemaxnum` setting that controls the maximum number
of cookies that net/http will accept when parsing HTTP headers. If the number of
cookie in a header exceeds the number set in `httpcookiemaxnum`, cookie parsing
_ = x[attrStyle-3]
_ = x[attrURL-4]
_ = x[attrSrcset-5]
+ _ = x[attrMetaContent-6]
}
-const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcset"
+const _attr_name = "attrNoneattrScriptattrScriptTypeattrStyleattrURLattrSrcsetattrMetaContent"
-var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58}
+var _attr_index = [...]uint8{0, 8, 18, 32, 41, 48, 58, 73}
func (i attr) String() string {
if i >= attr(len(_attr_index)-1) {
// stateError is an infectious error state outside any valid
// HTML/CSS/JS construct.
stateError
+ // stateMetaContent occurs inside a HTML meta element content attribute.
+ stateMetaContent
+ // stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute.
+ stateMetaContentURL
// stateDead marks unreachable code after a {{break}} or {{continue}}.
stateDead
)
elementTextarea
// elementTitle corresponds to the RCDATA <title> element.
elementTitle
+ // elementMeta corresponds to the HTML <meta> element.
+ elementMeta
)
//go:generate stringer -type attr
attrURL
// attrSrcset corresponds to a srcset attribute.
attrSrcset
+ // attrMetaContent corresponds to the content attribute in meta HTML element.
+ attrMetaContent
)
_ = x[elementStyle-2]
_ = x[elementTextarea-3]
_ = x[elementTitle-4]
+ _ = x[elementMeta-5]
}
-const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitle"
+const _element_name = "elementNoneelementScriptelementStyleelementTextareaelementTitleelementMeta"
-var _element_index = [...]uint8{0, 11, 24, 36, 51, 63}
+var _element_index = [...]uint8{0, 11, 24, 36, 51, 63, 74}
func (i element) String() string {
if i >= element(len(_element_index)-1) {
var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp")
+var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape")
+
// escapeAction escapes an action template node.
func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
if len(n.Pipe.Decl) != 0 {
default:
panic(c.urlPart.String())
}
+ case stateMetaContent:
+ // Handled below in delim check.
+ case stateMetaContentURL:
+ if htmlmetacontenturlescape.Value() != "0" {
+ s = append(s, "_html_template_urlfilter")
+ } else {
+ // We don't have a great place to increment this, since it's hard to
+ // know if we actually escape any urls in _html_template_urlfilter,
+ // since it has no information about what context it is being
+ // executed in etc. This is probably the best we can do.
+ htmlmetacontenturlescape.IncNonDefault()
+ }
case stateJS:
s = append(s, "_html_template_jsvalescaper")
// A slash after a value starts a div operator.
"<script>var a = `${ var a = \"{{\"a \\\" d\"}}\" }`</script>",
"<script>var a = `${ var a = \"a \\u0022 d\" }`</script>",
},
+ {
+ "meta content attribute url",
+ `<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`,
+ `<meta http-equiv="refresh" content="asd; url=#ZgotmplZ; asd; url=#ZgotmplZ; asd">`,
+ },
+ {
+ "meta content string",
+ `<meta http-equiv="refresh" content="{{"asd: 123"}}">`,
+ `<meta http-equiv="refresh" content="asd: 123">`,
+ },
}
for _, test := range tests {
"<script>var tmpl = `asd ${return \"{\"}`;</script>",
``,
},
+ {
+ `{{if eq "" ""}}<meta>{{end}}`,
+ ``,
+ },
+ {
+ `{{if eq "" ""}}<meta content="url={{"asd"}}">{{end}}`,
+ ``,
+ },
// Error cases.
{
t.Fatalf(`Template "foo" and "bar" rendered %q and %q respectively, expected equal values`, got1, got2)
}
}
+
+func TestMetaContentEscapeGODEBUG(t *testing.T) {
+ savedGODEBUG := os.Getenv("GODEBUG")
+ os.Setenv("GODEBUG", savedGODEBUG+",htmlmetacontenturlescape=0")
+ defer func() { os.Setenv("GODEBUG", savedGODEBUG) }()
+
+ tmpl := Must(New("").Parse(`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`))
+ var b strings.Builder
+ if err := tmpl.Execute(&b, nil); err != nil {
+ t.Fatalf("unexpected error: %s", err)
+ }
+ want := `<meta http-equiv="refresh" content="asd; url=javascript:alert(1); asd; url=vbscript:alert(1); asd">`
+ if got := b.String(); got != want {
+ t.Fatalf("got %q, want %q", got, want)
+ }
+}
_ = x[stateCSSBlockCmt-25]
_ = x[stateCSSLineCmt-26]
_ = x[stateError-27]
- _ = x[stateDead-28]
+ _ = x[stateMetaContent-28]
+ _ = x[stateMetaContentURL-29]
+ _ = x[stateDead-30]
}
-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateMetaContentstateMetaContentURLstateDead"
-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 356}
+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 156, 169, 184, 198, 216, 235, 243, 256, 269, 282, 295, 306, 322, 337, 347, 363, 382, 391}
func (i state) String() string {
if i >= state(len(_state_index)-1) {
stateRCDATA: tSpecialTagEnd,
stateAttr: tAttr,
stateURL: tURL,
+ stateMetaContent: tMetaContent,
+ stateMetaContentURL: tMetaContentURL,
stateSrcset: tURL,
stateJS: tJS,
stateJSDqStr: tJSDelimited,
elementStyle: stateCSS,
elementTextarea: stateRCDATA,
elementTitle: stateRCDATA,
+ elementMeta: stateText,
}
// tTag is the context transition function for the tag state.
return c, len(s)
}
if s[i] == '>' {
+ // Treat <meta> specially, because it doesn't have an end tag, and we
+ // want to transition into the correct state/element for it.
+ if c.element == elementMeta {
+ return context{state: stateText, element: elementNone}, i + 1
+ }
return context{
state: elementContentType[c.element],
element: c.element,
attrName := strings.ToLower(string(s[i:j]))
if c.element == elementScript && attrName == "type" {
attr = attrScriptType
+ } else if c.element == elementMeta && attrName == "content" {
+ attr = attrMetaContent
} else {
switch attrType(attrName) {
case contentTypeURL:
}
var attrStartStates = [...]state{
- attrNone: stateAttr,
- attrScript: stateJS,
- attrScriptType: stateAttr,
- attrStyle: stateCSS,
- attrURL: stateURL,
- attrSrcset: stateSrcset,
+ attrNone: stateAttr,
+ attrScript: stateJS,
+ attrScriptType: stateAttr,
+ attrStyle: stateCSS,
+ attrURL: stateURL,
+ attrSrcset: stateSrcset,
+ attrMetaContent: stateMetaContent,
}
// tBeforeValue is the context transition function for stateBeforeValue.
elementStyle: []byte("style"),
elementTextarea: []byte("textarea"),
elementTitle: []byte("title"),
+ elementMeta: []byte(""),
}
var (
return c, len(s)
}
+// tMetaContent is the context transition function for the meta content attribute state.
+func tMetaContent(c context, s []byte) (context, int) {
+ for i := 0; i < len(s); i++ {
+ if i+3 <= len(s)-1 && bytes.Equal(bytes.ToLower(s[i:i+4]), []byte("url=")) {
+ c.state = stateMetaContentURL
+ return c, i + 4
+ }
+ }
+ return c, len(s)
+}
+
+// tMetaContentURL is the context transition function for the "url=" part of a meta content attribute state.
+func tMetaContentURL(c context, s []byte) (context, int) {
+ for i := 0; i < len(s); i++ {
+ if s[i] == ';' {
+ c.state = stateMetaContent
+ return c, i + 1
+ }
+ }
+ return c, len(s)
+}
+
// eatAttrName returns the largest j such that s[i:j] is an attribute name.
// It returns an error if s[i:] does not look like it begins with an
// attribute name, such as encountering a quote mark without a preceding
"style": elementStyle,
"textarea": elementTextarea,
"title": elementTitle,
+ "meta": elementMeta,
}
// asciiAlpha reports whether c is an ASCII letter.
{Name: "gocacheverify", Package: "cmd/go"},
{Name: "gotestjsonbuildtext", Package: "cmd/go", Changed: 24, Old: "1"},
{Name: "gotypesalias", Package: "go/types", Changed: 23, Old: "0"},
+ {Name: "htmlmetacontenturlescape", Package: "html/template"},
{Name: "http2client", Package: "net/http"},
{Name: "http2debug", Package: "net/http", Opaque: true},
{Name: "http2server", Package: "net/http"},
The number of non-default behaviors executed by the go/types
package due to a non-default GODEBUG=gotypesalias=... setting.
+ /godebug/non-default-behavior/htmlmetacontenturlescape:events
+ The number of non-default behaviors executed by
+ the html/template package due to a non-default
+ GODEBUG=htmlmetacontenturlescape=... setting.
+
/godebug/non-default-behavior/http2client:events
The number of non-default behaviors executed by the net/http
package due to a non-default GODEBUG=http2client=... setting.