]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a3773c)
html/template: fix pipeline sanitization
authorDidier Spezia <didier.06@gmail.com>
Wed, 6 May 2015 22:14:32 +0000 (22:14 +0000)
committerRob Pike <r@golang.org>
Fri, 8 May 2015 18:05:32 +0000 (18:05 +0000)
Pipelines are altered by inserting sanitizers if they are not
already present. The code makes the assumption that the first
operands of each commands are function identifiers.

This is wrong, since they can also be methods. It results in
a panic with templates such as {{1|print 2|.f 3}}

Adds an extra type assertion to make sure only identifiers
are compared with sanitizers.

Fixes #10673

Change-Id: I3eb820982675231dbfa970f197abc5ef335ce86b
Reviewed-on: https://go-review.googlesource.com/9801
Reviewed-by: Rob Pike <r@golang.org>
src/html/template/escape.go patch | blob | history
src/html/template/escape_test.go patch | blob | history

diff --git a/src/html/template/escape.go b/src/html/template/escape.go
index ee01fb12ab83ba9dbbc6e7193235e1d9d37ae024..a9529446dd0d753292900a9646cf7164dc9e2768 100644 (file)
--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
@@ -297,9 +297,9 @@ var redundantFuncs = map[string]map[string]bool{
 // unless it is redundant with the last command.
 func appendCmd(cmds []*parse.CommandNode, cmd *parse.CommandNode) []*parse.CommandNode {
        if n := len(cmds); n != 0 {
-               last, ok := cmds[n-1].Args[0].(*parse.IdentifierNode)
-               next, _ := cmd.Args[0].(*parse.IdentifierNode)
-               if ok && redundantFuncs[last.Ident][next.Ident] {
+               last, okLast := cmds[n-1].Args[0].(*parse.IdentifierNode)
+               next, okNext := cmd.Args[0].(*parse.IdentifierNode)
+               if okLast && okNext && redundantFuncs[last.Ident][next.Ident] {
                        return cmds
                }
        }
diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index 9c9502a617ad558d71593145ed1215eb40f1288d..6729ebf4a780f42ba11e664c1c71e0361d03b1b0 100644 (file)
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -1547,6 +1547,16 @@ func TestEnsurePipelineContains(t *testing.T) {
                        "($).X | urlquery | html | print",
                        []string{"urlquery", "html"},
                },
+               {
+                       "{{.X | print 2 | .f 3}}",
+                       ".X | print 2 | .f 3 | urlquery | html",
+                       []string{"urlquery", "html"},
+               },
+               {
+                       "{{.X | html | print 2 | .f 3}}",
+                       ".X | urlquery | html | print 2 | .f 3",
+                       []string{"urlquery", "html"},
+               },
        }
        for i, test := range tests {
                tmpl := template.Must(template.New("test").Parse(test.input))
Go GOST TLS 1.3