From 37dbc7b49cbc9934c8dde54b65e5f417ce3faae9 Mon Sep 17 00:00:00 2001 From: Nodir Turakulov Date: Sat, 3 Dec 2016 11:37:05 -0800 Subject: [PATCH] html/template: escape JS in application/json script tag Since ffd1c781b77aab542713b66ef387fa9307e4060b HTML templates check MIME type in the "type" attribute of "script" tag to decide if contents should be escaped as JavaScript. The whitelist of MIME types did not include application/json. Include it in this CL. Fixes #18159 Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a Reviewed-on: https://go-review.googlesource.com/33899 Reviewed-by: Brad Fitzpatrick Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot --- src/html/template/js.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/html/template/js.go b/src/html/template/js.go index 8f1185c81e..6434fa3be6 100644 --- a/src/html/template/js.go +++ b/src/html/template/js.go @@ -368,9 +368,10 @@ func isJSIdentPart(r rune) bool { // It is used to determine whether a script tag with a type attribute is a javascript container. func isJSType(mimeType string) bool { // per - // http://www.w3.org/TR/html5/scripting-1.html#attr-script-type + // https://www.w3.org/TR/html5/scripting-1.html#attr-script-type // https://tools.ietf.org/html/rfc7231#section-3.1.1 - // http://tools.ietf.org/html/rfc4329#section-3 + // https://tools.ietf.org/html/rfc4329#section-3 + // https://www.ietf.org/rfc/rfc4627.txt // discard parameters if i := strings.Index(mimeType, ";"); i >= 0 { @@ -381,6 +382,7 @@ func isJSType(mimeType string) bool { case "application/ecmascript", "application/javascript", + "application/json", "application/x-ecmascript", "application/x-javascript", "text/ecmascript", -- 2.50.0