]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dfffc7a)
exp/template: escape < and > in JS escaper.
authorDavid Symonds <dsymonds@golang.org>
Thu, 14 Jul 2011 02:02:58 +0000 (12:02 +1000)
committerDavid Symonds <dsymonds@golang.org>
Thu, 14 Jul 2011 02:02:58 +0000 (12:02 +1000)
Angle brackets can trigger some browser sniffers,
causing some output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

R=r
CC=golang-dev
https://golang.org/cl/4714044

src/pkg/exp/template/exec_test.go patch | blob | history
src/pkg/exp/template/funcs.go patch | blob | history

diff --git a/src/pkg/exp/template/exec_test.go b/src/pkg/exp/template/exec_test.go
index 112adbf246180a9b6c90a02dab614fbfc2fa3138..97ec952493eb8b7c623150f769eb92ace1155340 100644 (file)
--- a/src/pkg/exp/template/exec_test.go
+++ b/src/pkg/exp/template/exec_test.go
@@ -411,6 +411,7 @@ func TestJSEscaping(t *testing.T) {
                {`Go "jump" \`, `Go \"jump\" \\`},
                {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
                {"unprintable \uFDFF", `unprintable \uFDFF`},
+               {`<html>`, `\x3Chtml\x3E`},
        }
        for _, tc := range testCases {
                s := JSEscapeString(tc.in)
diff --git a/src/pkg/exp/template/funcs.go b/src/pkg/exp/template/funcs.go
index 3bf2bdd63639eb63bbb4209ab3d755326a6e96f0..fd66a1f41561cac3e6227c9325bc25d79bff94a3 100644 (file)
--- a/src/pkg/exp/template/funcs.go
+++ b/src/pkg/exp/template/funcs.go
@@ -233,6 +233,8 @@ var (
        jsBackslash = []byte(`\\`)
        jsApos      = []byte(`\'`)
        jsQuot      = []byte(`\"`)
+       jsLt        = []byte(`\x3C`)
+       jsGt        = []byte(`\x3E`)
 )
 
 
@@ -242,14 +244,14 @@ func JSEscape(w io.Writer, b []byte) {
        for i := 0; i < len(b); i++ {
                c := b[i]
 
-               if ' ' <= c && c < utf8.RuneSelf && c != '\\' && c != '"' && c != '\'' {
+               if !jsIsSpecial(int(c)) {
                        // fast path: nothing to do
                        continue
                }
                w.Write(b[last:i])
 
                if c < utf8.RuneSelf {
-                       // Quotes and slashes get quoted.
+                       // Quotes, slashes and angle brackets get quoted.
                        // Control characters get written as \u00XX.
                        switch c {
                        case '\\':
@@ -258,6 +260,10 @@ func JSEscape(w io.Writer, b []byte) {
                                w.Write(jsApos)
                        case '"':
                                w.Write(jsQuot)
+                       case '<':
+                               w.Write(jsLt)
+                       case '>':
+                               w.Write(jsGt)
                        default:
                                w.Write(jsLowUni)
                                t, b := c>>4, c&0x0f
@@ -293,7 +299,7 @@ func JSEscapeString(s string) string {
 
 func jsIsSpecial(rune int) bool {
        switch rune {
-       case '\\', '\'', '"':
+       case '\\', '\'', '"', '<', '>':
                return true
        }
        return rune < ' ' || utf8.RuneSelf <= rune
Go GOST TLS 1.3