This removes a few cases from escapeAction and clarifies the
responsibilities of urlFilter which no longer does any
escaping or normalization. It is now solely a filter.
R=nigeltao
CC=golang-dev
https://golang.org/cl/
5162043
switch c.state {
case stateCSSDqStr, stateCSSSqStr:
s = append(s, "exp_template_html_cssescaper")
- case stateCSSDqURL, stateCSSSqURL, stateCSSURL:
+ default:
s = append(s, "exp_template_html_urlnormalizer")
}
case urlPartQueryOrFrag:
{
"nonHierURL",
`<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,
- `<a href=mailto:Muhammed "The Greatest" Ali <m.ali@example.com>>`,
+ `<a href=mailto:Muhammed%20%22The%20Greatest%22%20Ali%20%3cm.ali@example.com%3e>`,
},
{
"urlPath",
},
{
"styleStrBadProtocolBlocked",
- `<a style="background: '{{"javascript:alert(1337)"}}'">`,
+ `<a style="background: '{{"vbscript:alert(1337)"}}'">`,
`<a style="background: '#ZgotmplZ'">`,
},
+ {
+ "styleStrEncodedProtocolEncoded",
+ `<a style="background: '{{"javascript\\3a alert(1337)"}}'">`,
+ // The CSS string 'javascript\\3a alert(1337)' does not contains a colon.
+ `<a style="background: 'javascript\\3a alert\28 1337\29 '">`,
+ },
{
"styleURLGoodProtocolPassed",
`<a style="background: url('{{"http://oreilly.com/O'Reilly Animals(1)<2>;{}.html"}}')">`,
"strings"
)
-// urlFilter returns the HTML equivalent of its input unless it contains an
-// unsafe protocol in which case it defangs the entire URL.
+// urlFilter returns its input unless it contains an unsafe protocol in which
+// case it defangs the entire URL.
func urlFilter(args ...interface{}) string {
s, t := stringify(args...)
if t == contentTypeURL {
- return urlProcessor(true, s)
+ return s
}
- i := strings.IndexRune(s, ':')
- if i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
+ if i := strings.IndexRune(s, ':'); i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
protocol := strings.ToLower(s[:i])
if protocol != "http" && protocol != "https" && protocol != "mailto" {
return "#" + filterFailsafe