Cypherpunks repositories - gostls13.git/commit

author	Samuel Tan <samueltan@google.com>
	Wed, 5 Apr 2017 01:26:21 +0000 (18:26 -0700)
committer	Russ Cox <rsc@golang.org>
	Mon, 10 Apr 2017 15:08:47 +0000 (15:08 +0000)
commit	9ffd9339da503b50571ec6806e5d6d2cf5d5912a
tree	3ad491bc8f37495d15ef02084d93c04cad5da093	tree
parent	221541ec8c4ec1b0ed0c6f26f5e13ca128e2a3cd	commit \| diff

html/template: panic if predefined escapers are found in pipelines during rewriting

Report an error if a predefined escaper (i.e. "html", "urlquery", or "js")
is found in a pipeline that will be rewritten by the contextual auto-escaper,
instead of trying to merge the escaper-inserted escaping directives
with these predefined escapers. This merging behavior is a source
of several security and correctness bugs (eee #19336, #19345, #19352,
and #19353.)

This merging logic was originally intended to ease migration of text/template
templates with user-defined escapers to html/template. Now that
migration is no longer an issue, this logic can be safely removed.

NOTE: this is a backward-incompatible change that fixes known security
bugs (see linked issues for more details). It will explicitly break users
that attempt to execute templates with pipelines containing predefined
escapers.

Fixes #19336, #19345, #19352, #19353

Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49
Reviewed-on: https://go-review.googlesource.com/37880
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

src/html/template/error.go		diff \| blob \| history
src/html/template/escape.go		diff \| blob \| history
src/html/template/escape_test.go		diff \| blob \| history