exp/template/html: recognize whitespace at start of URLs.

HTML5 uses "Valid URL potentially surrounded by spaces" for
attrs: http://www.w3.org/TR/html5/index.html#attributes-1

    <a href=" {{.}}">

should be escaped to filter out "javascript:..." as data.

R=nigeltao
CC=golang-dev
https://golang.org/cl/5027045

diff --git a/src/pkg/exp/template/html/escape_test.go b/src/pkg/exp/template/html/escape_test.go
index 852104bf6c2acce4df4f809c8fee1aad45c45d70..b57a202f8fc2e24f7f09751807c5a591881659b1 100644 (file)
--- a/src/pkg/exp/template/html/escape_test.go
+++ b/src/pkg/exp/template/html/escape_test.go
@@ -120,6 +120,11 @@ func TestEscape(t *testing.T) {
                        `<a href='{{"javascript:alert(%22pwned%22)"}}'>`,
                        `<a href='#ZgotmplZ'>`,
                },
+               {
+                       "dangerousURLStart2",
+                       `<a href='  {{"javascript:alert(%22pwned%22)"}}'>`,
+                       `<a href='  #ZgotmplZ'>`,
+               },
                {
                        "nonHierURL",
                        `<a href={{"mailto:Muhammed \"The Greatest\" Ali <m.ali@example.com>"}}>`,

diff --git a/src/pkg/exp/template/html/transition.go b/src/pkg/exp/template/html/transition.go
index 2449a50110875455c2799ee9f5f19aa8748aa956..450dda43c423136557c5b513e45feaabe024e996 100644 (file)
--- a/src/pkg/exp/template/html/transition.go
+++ b/src/pkg/exp/template/html/transition.go
@@ -169,7 +169,9 @@ func tAttr(c context, s []byte) (context, []byte) {
 func tURL(c context, s []byte) (context, []byte) {
        if bytes.IndexAny(s, "#?") >= 0 {
                c.urlPart = urlPartQueryOrFrag
-       } else if len(s) != 0 && c.urlPart == urlPartNone {
+       } else if len(s) != eatWhiteSpace(s, 0) && c.urlPart == urlPartNone {
+               // HTML5 uses "Valid URL potentially surrounded by spaces" for
+               // attrs: http://www.w3.org/TR/html5/index.html#attributes-1
                c.urlPart = urlPartPreQuery
        }
        return c, nil