The normalization that prevents element name and comment injection in
<{{.}}
by converting it to
<{{.}}
breaks
<!DOCTYPE html>
Instead of splitting states to have a start of document state and a text
state, I whitelist <!DOCTYPE.
R=nigeltao
CC=golang-dev
https://golang.org/cl/
5131051
delimSpaceOrTagEnd: " \t\n\f\r>",
}
+var doctypeBytes = []byte("<!DOCTYPE")
+
// escapeText escapes a text template node.
func (e *escaper) escapeText(c context, n *parse.TextNode) context {
s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
}
}
for j := i; j < end; j++ {
- if s[j] == '<' {
+ if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) {
b.Write(s[written:j])
b.WriteString("<")
written = j + 1
"a<<!-- --><!-- -->b",
"a<b",
},
+ {
+ "HTML doctype not normalized",
+ "<!DOCTYPE html>Hello, World!",
+ "<!DOCTYPE html>Hello, World!",
+ },
+ {
+ "No doctype injection",
+ `<!{{"DOCTYPE"}}`,
+ "<!DOCTYPE",
+ },
{
"Split HTML comment",
"<b>Hello, <!-- name of {{if .T}}city -->{{.C}}{{else}}world -->{{.W}}{{end}}</b>",