adjusted to account for the additional symbol and the change in symbol offsets.
</p>
+<h3 id="html/template">html/template</h3>
+
+<p>
+Templates using the undocumented and only partially implemented
+"noescape" feature will break: that feature was removed.
+</p>
+
<h3 id="net">net</h3>
<p>
idents := p.Cmds
for i := n - 1; i >= 0; i-- {
if cmd := p.Cmds[i]; len(cmd.Args) != 0 {
- if id, ok := cmd.Args[0].(*parse.IdentifierNode); ok {
- if id.Ident == "noescape" {
- return
- }
+ if _, ok := cmd.Args[0].(*parse.IdentifierNode); ok {
continue
}
}
"<textarea>{{range .A}}{{.}}{{end}}</textarea>",
"<textarea><a><b></textarea>",
},
- {
- "auditable exemption from escaping",
- "{{range .A}}{{. | noescape}}{{end}}",
- "<a><b>",
- },
{
"No tag injection",
`{{"10$"}}<{{"script src,evil.org/pwnd.js"}}...`,
for _, test := range tests {
tmpl := New(test.name)
- // TODO: Move noescape into template/func.go
- tmpl.Funcs(FuncMap{
- "noescape": func(a ...interface{}) string {
- return fmt.Sprint(a...)
- },
- })
tmpl = Must(tmpl.Parse(test.input))
b := new(bytes.Buffer)
if err := tmpl.Execute(b, data); err != nil {