Involved Source Filesattr.goattr_string.gocontent.gocontext.gocss.godelim_string.go
Package template (html/template) implements data-driven templates for
generating HTML output safe against code injection. It provides the
same interface as package text/template and should be used instead of
text/template whenever the output is HTML.
The documentation here focuses on the security features of the package.
For information about how to program the templates themselves, see the
documentation for text/template.
Introduction
This package wraps package text/template so you can share its template API
to parse and execute HTML templates safely.
tmpl, err := template.New("name").Parse(...)
// Error checking elided
err = tmpl.Execute(out, data)
If successful, tmpl will now be injection-safe. Otherwise, err is an error
defined in the docs for ErrorCode.
HTML templates treat data values as plain text which should be encoded so they
can be safely embedded in an HTML document. The escaping is contextual, so
actions can appear within JavaScript, CSS, and URI contexts.
The security model used by this package assumes that template authors are
trusted, while Execute's data parameter is not. More details are
provided below.
Example
import "text/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
produces
Hello, <script>alert('you have been pwned')</script>!
but the contextual autoescaping in html/template
import "html/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
produces safe, escaped HTML output
Hello, <script>alert('you have been pwned')</script>!
Contexts
This package understands HTML, CSS, JavaScript, and URIs. It adds sanitizing
functions to each simple action pipeline, so given the excerpt
<a href="/search?q={{.}}">{{.}}</a>
At parse time each {{.}} is overwritten to add escaping functions as necessary.
In this case it becomes
<a href="/search?q={{. | urlescaper | attrescaper}}">{{. | htmlescaper}}</a>
where urlescaper, attrescaper, and htmlescaper are aliases for internal escaping
functions.
For these internal escaping functions, if an action pipeline evaluates to
a nil interface value, it is treated as though it were an empty string.
Namespaced and data- attributes
Attributes with a namespace are treated as if they had no namespace.
Given the excerpt
<a my:href="{{.}}"></a>
At parse time the attribute will be treated as if it were just "href".
So at parse time the template becomes:
<a my:href="{{. | urlescaper | attrescaper}}"></a>
Similarly to attributes with namespaces, attributes with a "data-" prefix are
treated as if they had no "data-" prefix. So given
<a data-href="{{.}}"></a>
At parse time this becomes
<a data-href="{{. | urlescaper | attrescaper}}"></a>
If an attribute has both a namespace and a "data-" prefix, only the namespace
will be removed when determining the context. For example
<a my:data-href="{{.}}"></a>
This is handled as if "my:data-href" was just "data-href" and not "href" as
it would be if the "data-" prefix were to be ignored too. Thus at parse
time this becomes just
<a my:data-href="{{. | attrescaper}}"></a>
As a special case, attributes with the namespace "xmlns" are always treated
as containing URLs. Given the excerpts
<a xmlns:title="{{.}}"></a>
<a xmlns:href="{{.}}"></a>
<a xmlns:onclick="{{.}}"></a>
At parse time they become:
<a xmlns:title="{{. | urlescaper | attrescaper}}"></a>
<a xmlns:href="{{. | urlescaper | attrescaper}}"></a>
<a xmlns:onclick="{{. | urlescaper | attrescaper}}"></a>
Errors
See the documentation of ErrorCode for details.
A fuller picture
The rest of this package comment may be skipped on first reading; it includes
details necessary to understand escaping contexts and error messages. Most users
will not need to understand these details.
Contexts
Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows
how {{.}} appears when used in the context to the left.
Context {{.}} After
{{.}} O'Reilly: How are <i>you</i>?
<a title='{{.}}'> O'Reilly: How are you?
<a href="/{{.}}"> O'Reilly: How are %3ci%3eyou%3c/i%3e?
<a href="?q={{.}}"> O'Reilly%3a%20How%20are%3ci%3e...%3f
<a onx='f("{{.}}")'> O\x27Reilly: How are \x3ci\x3eyou...?
<a onx='f({{.}})'> "O\x27Reilly: How are \x3ci\x3eyou...?"
<a onx='pattern = /{{.}}/;'> O\x27Reilly: How are \x3ci\x3eyou...\x3f
If used in an unsafe context, then the value might be filtered out:
Context {{.}} After
<a href="{{.}}"> #ZgotmplZ
since "O'Reilly:" is not an allowed protocol like "http:".
If {{.}} is the innocuous word, `left`, then it can appear more widely,
Context {{.}} After
{{.}} left
<a title='{{.}}'> left
<a href='{{.}}'> left
<a href='/{{.}}'> left
<a href='?dir={{.}}'> left
<a style="border-{{.}}: 4px"> left
<a style="align: {{.}}"> left
<a style="background: '{{.}}'> left
<a style="background: url('{{.}}')> left
<style>p.{{.}} {color:red}</style> left
Non-string values can be used in JavaScript contexts.
If {{.}} is
struct{A,B string}{ "foo", "bar" }
in the escaped template
<script>var pair = {{.}};</script>
then the template output is
<script>var pair = {"A": "foo", "B": "bar"};</script>
See package json to understand how non-string content is marshaled for
embedding in JavaScript contexts.
Typed Strings
By default, this package assumes that all pipelines produce a plain text string.
It adds escaping pipeline stages necessary to correctly and safely embed that
plain text string in the appropriate context.
When a data value is not plain text, you can make sure it is not over-escaped
by marking it with its type.
Types HTML, JS, URL, and others from content.go can carry safe content that is
exempted from escaping.
The template
Hello, {{.}}!
can be invoked with
tmpl.Execute(out, template.HTML(`<b>World</b>`))
to produce
Hello, <b>World</b>!
instead of the
Hello, <b>World<b>!
that would have been produced if {{.}} was a regular string.
Security Model
https://rawgit.com/mikesamuel/sanitized-jquery-templates/trunk/safetemplate.html#problem_definition defines "safe" as used by this package.
This package assumes that template authors are trusted, that Execute's data
parameter is not, and seeks to preserve the properties below in the face
of untrusted data:
Structure Preservation Property:
"... when a template author writes an HTML tag in a safe templating language,
the browser will interpret the corresponding portion of the output as a tag
regardless of the values of untrusted data, and similarly for other structures
such as attribute boundaries and JS and CSS string boundaries."
Code Effect Property:
"... only code specified by the template author should run as a result of
injecting the template output into a page and all code specified by the
template author should run as a result of the same."
Least Surprise Property:
"A developer (or code reviewer) familiar with HTML, CSS, and JavaScript, who
knows that contextual autoescaping happens should be able to look at a {{.}}
and correctly infer what sanitization happens."
element_string.goerror.goescape.gohtml.gojs.gojsctx_string.gostate_string.gotemplate.gotransition.gourl.gourlpart_string.go
Package-Level Type Names (total 21, in which 11 are exported)
/* sort exporteds by: | */
CSS encapsulates known safe content that matches any of:
1. The CSS3 stylesheet production, such as `p { color: purple }`.
2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
3. CSS3 declaration productions, such as `color: red; margin: 2px`.
4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.
See https://www.w3.org/TR/css3-syntax/#parsing and
https://web.archive.org/web/20090211114933/http://w3.org/TR/css3-syntax#style
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
Error describes a problem encountered during template Escaping.
Description is a human-readable description of the problem.
ErrorCode describes the kind of error.
Line is the line number of the error in the template source or 0.
Name is the name of the template in which the error was encountered.
Node is the node that caused the problem, if known.
If not nil, it overrides Name and Line.
(*T) Error() string
*T : error
func eatAttrName(s []byte, i int) (int, *Error)
func errorf(k ErrorCode, node parse.Node, line int, f string, args ...interface{}) *Error
FuncMap is the type of the map defining the mapping from names to
functions. Each function must have either a single return value, or two
return values of which the second has type error. In that case, if the
second (error) argument evaluates to non-nil during execution, execution
terminates and Execute returns that error. FuncMap has the same base type
as FuncMap in "text/template", copied here so clients need not import
"text/template".
func (*Template).Funcs(funcMap FuncMap) *Template
HTML encapsulates a known safe HTML document fragment.
It should not be used for HTML from a third-party, or HTML with
unclosed tags or comments. The outputs of a sound HTML sanitizer
and a template escaped by this package are fine for use with HTML.
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
HTMLAttr encapsulates an HTML attribute from a trusted source,
for example, ` dir="ltr"`.
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
JS encapsulates a known safe EcmaScript5 Expression, for example,
`(x + y * z())`.
Template authors are responsible for ensuring that typed expressions
do not break the intended precedence and that there is no
statement/expression ambiguity as when passing an expression like
"{ foo: bar() }\n['foo']()", which is both a valid Expression and a
valid Program with a very different meaning.
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
Using JS to include valid but untrusted JSON is not safe.
A safe alternative is to parse the JSON with json.Unmarshal and then
pass the resultant object into the template, where it will be
converted to sanitized JSON when presented in a JavaScript context.
JSStr encapsulates a sequence of characters meant to be embedded
between quotes in a JavaScript expression.
The string must match a series of StringCharacters:
StringCharacter :: SourceCharacter but not `\` or LineTerminator
| EscapeSequence
Note that LineContinuations are not allowed.
JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not.
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
Srcset encapsulates a known safe srcset attribute
(see https://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-img-srcset).
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
Template is a specialized Template from "text/template" that produces a safe
HTML document fragment.
The underlying template's parse tree, updated to be HTML-safe.
Sticky error if escaping fails, or escapeOK if succeeded.
// common to all associated templates
nameSpace.escescapernameSpace.escapedboolnameSpace.musync.MutexnameSpace.setmap[string]*Template
We could embed the text/template field, but it's safer not to because
we need to keep our version of the name space and the underlying
template's in sync.
AddParseTree creates a new template with the name and parse tree
and associates it with t.
It returns an error if t or any associated template has already been executed.
Clone returns a duplicate of the template, including all associated
templates. The actual representation is not copied, but the name space of
associated templates is, so further calls to Parse in the copy will add
templates to the copy but not to the original. Clone can be used to prepare
common templates and use them with variant definitions for other templates
by adding the variants after the clone is made.
It returns an error if t has already been executed.
DefinedTemplates returns a string listing the defined templates,
prefixed by the string "; defined templates are: ". If there are none,
it returns the empty string. Used to generate an error message.
Delims sets the action delimiters to the specified strings, to be used in
subsequent calls to Parse, ParseFiles, or ParseGlob. Nested template
definitions will inherit the settings. An empty delimiter stands for the
corresponding default: {{ or }}.
The return value is the template, so calls can be chained.
Execute applies a parsed template to the specified data object,
writing the output to wr.
If an error occurs executing the template or writing its output,
execution stops, but partial results may already have been written to
the output writer.
A template may be executed safely in parallel, although if parallel
executions share a Writer the output may be interleaved.
ExecuteTemplate applies the template associated with t that has the given
name to the specified data object and writes the output to wr.
If an error occurs executing the template or writing its output,
execution stops, but partial results may already have been written to
the output writer.
A template may be executed safely in parallel, although if parallel
executions share a Writer the output may be interleaved.
Funcs adds the elements of the argument map to the template's function map.
It must be called before the template is parsed.
It panics if a value in the map is not a function with appropriate return
type. However, it is legal to overwrite elements of the map. The return
value is the template, so calls can be chained.
Lookup returns the template with the given name that is associated with t,
or nil if there is no such template.
Name returns the name of the template.
New allocates a new HTML template associated with the given one
and with the same delimiters. The association, which is transitive,
allows one template to invoke another with a {{template}} action.
If a template with the given name already exists, the new HTML template
will replace it. The existing template will be reset and disassociated with
t.
Option sets options for the template. Options are described by
strings, either a simple string or "key=value". There can be at
most one equals sign in an option string. If the option string
is unrecognized or otherwise invalid, Option panics.
Known options:
missingkey: Control the behavior during execution if a map is
indexed with a key that is not present in the map.
"missingkey=default" or "missingkey=invalid"
The default behavior: Do nothing and continue execution.
If printed, the result of the index operation is the string
"<no value>".
"missingkey=zero"
The operation returns the zero value for the map type's element.
"missingkey=error"
Execution stops immediately with an error.
Parse parses text as a template body for t.
Named template definitions ({{define ...}} or {{block ...}} statements) in text
define additional templates associated with t and are removed from the
definition of t itself.
Templates can be redefined in successive calls to Parse,
before the first use of Execute on t or any associated template.
A template definition with a body containing only white space and comments
is considered empty and will not replace an existing template's body.
This allows using Parse to add new named template definitions without
overwriting the main template body.
ParseFS is like ParseFiles or ParseGlob but reads from the file system fs
instead of the host operating system's file system.
It accepts a list of glob patterns.
(Note that most file names serve as glob patterns matching only themselves.)
ParseFiles parses the named files and associates the resulting templates with
t. If an error occurs, parsing stops and the returned template is nil;
otherwise it is t. There must be at least one file.
When parsing multiple files with the same name in different directories,
the last one mentioned will be the one that results.
ParseFiles returns an error if t or any associated template has already been executed.
ParseGlob parses the template definitions in the files identified by the
pattern and associates the resulting templates with t. The files are matched
according to the semantics of filepath.Match, and the pattern must match at
least one file. ParseGlob is equivalent to calling t.ParseFiles with the
list of files matched by the pattern.
When parsing multiple files with the same name in different directories,
the last one mentioned will be the one that results.
ParseGlob returns an error if t or any associated template has already been executed.
Templates returns a slice of the templates associated with t, including t
itself.
checkCanParse checks whether it is OK to parse templates.
If not, it returns an error.
escape escapes all associated templates.
lookupAndEscapeTemplate guarantees that the template with the given name
is escaped, or returns an error if it cannot be. It returns the named
template.
new is the implementation of New, without the lock.
func Must(t *Template, err error) *Template
func New(name string) *Template
func ParseFiles(filenames ...string) (*Template, error)
func ParseFS(fs fs.FS, patterns ...string) (*Template, error)
func ParseGlob(pattern string) (*Template, error)
func (*Template).AddParseTree(name string, tree *parse.Tree) (*Template, error)
func (*Template).Clone() (*Template, error)
func (*Template).Delims(left, right string) *Template
func (*Template).Funcs(funcMap FuncMap) *Template
func (*Template).Lookup(name string) *Template
func (*Template).New(name string) *Template
func (*Template).Option(opt ...string) *Template
func (*Template).Parse(text string) (*Template, error)
func (*Template).ParseFiles(filenames ...string) (*Template, error)
func (*Template).ParseFS(fs fs.FS, patterns ...string) (*Template, error)
func (*Template).ParseGlob(pattern string) (*Template, error)
func (*Template).Templates() []*Template
func parseFiles(t *Template, readFile func(string) (string, []byte, error), filenames ...string) (*Template, error)
func parseFS(t *Template, fsys fs.FS, patterns []string) (*Template, error)
func parseGlob(t *Template, pattern string) (*Template, error)
func (*Template).lookupAndEscapeTemplate(name string) (tmpl *Template, err error)
func (*Template).new(name string) *Template
func Must(t *Template, err error) *Template
func escapeTemplate(tmpl *Template, node parse.Node, name string) error
func parseFiles(t *Template, readFile func(string) (string, []byte, error), filenames ...string) (*Template, error)
func parseFS(t *Template, fsys fs.FS, patterns []string) (*Template, error)
func parseGlob(t *Template, pattern string) (*Template, error)
URL encapsulates a known safe URL or URL substring (see RFC 3986).
A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()`
from a trusted source should go in the page, but by default dynamic
`javascript:` URLs are filtered out since they are a frequently
exploited injection vector.
Use of this type presents a security risk:
the encapsulated content should come from a trusted source,
as it will be included verbatim in the template output.
element identifies the HTML element when inside a start tag or special body.
Certain HTML element (for example <script> and <style>) have bodies that are
treated differently from stateText so the element type is necessary to
transition into the correct context at the end of a tag and to identify the
end delimiter for the body.
( T) String() string
T : fmt.Stringer
T : context.stringer
T : os/signal.stringer
T : runtime.stringer
func eatTagName(s []byte, i int) (int, element)
const elementNone
const elementScript
const elementStyle
const elementTextarea
const elementTitle
escaper collects type inferences about templates and changes needed to make
templates injection safe.
xxxNodeEdits are the accumulated edits to apply during commit.
Such edits are not applied immediately in case a template set
executes a given template in different escaping contexts.
called[templateName] is a set of called mangled template names.
derived[c.mangle(name)] maps to a template derived from the template
named name templateName for the start context c.
ns is the nameSpace that this escaper is associated with.
output[templateName] is the output context for a templateName that
has been mangled to include its input context.
templateNodeEditsmap[*parse.TemplateNode]stringtextNodeEditsmap[*parse.TextNode][]byte
arbitraryTemplate returns an arbitrary template from the name space
associated with e and panics if no templates are found.
commit applies changes to actions and template calls needed to contextually
autoescape content and adds any derived templates to the set.
computeOutCtx takes a template and its start context and computes the output
context while storing any inferences in e.
editActionNode records a change to an action pipeline for later commit.
editTemplateNode records a change to a {{template}} callee for later commit.
editTextNode records a change to a text node for later commit.
escape escapes a template node.
escapeAction escapes an action template node.
escapeBranch escapes a branch template node: "if", "range" and "with".
escapeList escapes a list template node.
escapeListConditionally escapes a list node but only preserves edits and
inferences in e if the inferences and output context satisfy filter.
It returns the best guess at an output context, and the result of the filter
which is the same as whether e was updated.
escapeTemplate escapes a {{template}} call node.
escapeTemplateBody escapes the given template assuming the given output
context, and returns the best guess at the output context and whether the
assumption was correct.
escapeText escapes a text template node.
escapeTree escapes the named template starting in the given context as
necessary and returns its output context.
template returns the named template given a mangled template name.
func makeEscaper(n *nameSpace) escaper
Package-Level Functions (total 93, in which 13 are exported)
HTMLEscape writes to w the escaped HTML equivalent of the plain text data b.
HTMLEscaper returns the escaped HTML equivalent of the textual
representation of its arguments.
HTMLEscapeString returns the escaped HTML equivalent of the plain text data s.
IsTrue reports whether the value is 'true', in the sense of not the zero of its type,
and whether the value has a meaningful truth value. This is the definition of
truth used by if and other such actions.
JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
JSEscaper returns the escaped JavaScript equivalent of the textual
representation of its arguments.
JSEscapeString returns the escaped JavaScript equivalent of the plain text data s.
Must is a helper that wraps a call to a function returning (*Template, error)
and panics if the error is non-nil. It is intended for use in variable initializations
such as
var t = template.Must(template.New("name").Parse("html"))
New allocates a new HTML template with the given name.
ParseFiles creates a new Template and parses the template definitions from
the named files. The returned template's name will have the (base) name and
(parsed) contents of the first file. There must be at least one file.
If an error occurs, parsing stops and the returned *Template is nil.
When parsing multiple files with the same name in different directories,
the last one mentioned will be the one that results.
For instance, ParseFiles("a/foo", "b/foo") stores "b/foo" as the template
named "foo", while "a/foo" is unavailable.
ParseFS is like ParseFiles or ParseGlob but reads from the file system fs
instead of the host operating system's file system.
It accepts a list of glob patterns.
(Note that most file names serve as glob patterns matching only themselves.)
ParseGlob creates a new Template and parses the template definitions from
the files identified by the pattern. The files are matched according to the
semantics of filepath.Match, and the pattern must match at least one file.
The returned template will have the (base) name and (parsed) contents of the
first file matched by the pattern. ParseGlob is equivalent to calling
ParseFiles with the list of files matched by the pattern.
When parsing multiple files with the same name in different directories,
the last one mentioned will be the one that results.
URLQueryEscaper returns the escaped value of the textual representation of
its arguments in a form suitable for embedding in a URL query.
appendCmd appends the given command to the end of the command pipeline
unless it is redundant with the last command.
asciiAlpha reports whether c is an ASCII letter.
asciiAlphaNum reports whether c is an ASCII letter or digit.
attrEscaper escapes for inclusion in quoted attribute values.
attrType returns a conservative (upper-bound on authority) guess at the
type of the lowercase named attribute.
commentEscaper returns the empty string regardless of input.
Comment content does not correspond to any parsed structure or
human-readable content, so the simplest and most secure policy is to drop
content interpolated into comments.
This approach is equally valid whether or not static comment content is
removed from the template.
contextAfterText starts in context c, consumes some tokens from the front of
s, then returns the context after those tokens and the unprocessed suffix.
cssEscaper escapes HTML and CSS special characters using \<hex>+ escapes.
cssValueFilter allows innocuous CSS values in the output including CSS
quantities (10px or 25%), ID or class literals (#foo, .bar), keyword values
(inherit, blue), and colors (#888).
It filters out unsafe values, such as those that affect token boundaries,
and anything that might execute scripts.
decodeCSS decodes CSS3 escapes given a sequence of stringchars.
If there is no change, it returns the input, otherwise it returns a slice
backed by a new array.
https://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
eatAttrName returns the largest j such that s[i:j] is an attribute name.
It returns an error if s[i:] does not look like it begins with an
attribute name, such as encountering a quote mark without a preceding
equals sign.
eatTagName returns the largest j such that s[i:j] is a tag name and the tag type.
eatWhiteSpace returns the largest j such that s[i:j] is white space.
endsWithCSSKeyword reports whether b ends with an ident that
case-insensitively matches the lower-case kw.
ensurePipelineContains ensures that the pipeline ends with the commands with
the identifiers in s in order. If the pipeline ends with a predefined escaper
(i.e. "html" or "urlquery"), merge it with the identifiers in s.
errorf creates an error given a format string f and args.
The template Name still needs to be supplied.
escapeTemplate rewrites the named template, which must be
associated with t, to guarantee that the output of any of the named
templates is properly escaped. If no error is returned, then the named templates have
been modified. Otherwise the named templates have been rendered
unusable.
escFnsEq reports whether the two escaping functions are equivalent.
evalArgs formats the list of arguments into a string. It is equivalent to
fmt.Sprint(args...), except that it deferences all pointers.
hexDecode decodes a short hex digit sequence: "10" -> 16.
htmlEscaper escapes for inclusion in HTML text.
htmlNameFilter accepts valid parts of an HTML attribute or tag name or
a known-safe HTML attribute.
htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
htmlReplacer returns s with runes replaced according to replacementTable
and when badRunes is true, certain bad runes are allowed through unescaped.
indexTagEnd finds the index of a special tag end in a case insensitive way, or returns -1
indirect returns the value, after dereferencing as many times
as necessary to reach the base type (or nil).
indirectToJSONMarshaler returns the value, after dereferencing as many times
as necessary to reach the base type (or nil) or an implementation of json.Marshal.
indirectToStringerOrError returns the value, after dereferencing as many times
as necessary to reach the base type (or nil) or an implementation of fmt.Stringer
or error,
isComment is true for any state that contains content meant for template
authors & maintainers, not for end-users or machines.
isCSSNmchar reports whether rune is allowed anywhere in a CSS identifier.
isCSSSpace reports whether b is a CSS space char as defined in wc.
isHex reports whether the given character is a hex digit.
isHTMLSpace is true iff c is a whitespace character per
https://infra.spec.whatwg.org/#ascii-whitespace
isInTag return whether s occurs solely inside an HTML tag.
isJSIdentPart reports whether the given rune is a JS identifier part.
It does not handle all the non-Latin letters, joiners, and combining marks,
but it does handle every codepoint that can occur in a numeric literal or
a keyword.
isJSType reports whether the given MIME type should be considered JavaScript.
It is used to determine whether a script tag with a type attribute is a javascript container.
isSafeURL is true if s is a relative URL or if URL has a protocol in
(http, https, mailto).
join joins the two contexts of a branch template node. The result is an
error context if either of the input contexts are error contexts, or if the
input contexts differ.
jsRegexpEscaper behaves like jsStrEscaper but escapes regular expression
specials so the result is treated literally when included in a regular
expression literal. /foo{{.X}}bar/ matches the string "foo" followed by
the literal text of {{.X}} followed by the string "bar".
jsStrEscaper produces a string that can be included between quotes in
JavaScript source, in JavaScript embedded in an HTML5 <script> element,
or in an HTML5 event handler attribute such as onclick.
jsValEscaper escapes its inputs to a JS Expression (section 11.14) that has
neither side-effects nor free variables outside (NaN, Infinity).
makeEscaper creates a blank escaper for the given set.
newIdentCmd produces a command containing a single identifier node.
nextJSCtx returns the context that determines whether a slash after the
given run of tokens starts a regular expression instead of a division
operator: / or /=.
This assumes that the token run does not include any string tokens, comment
tokens, regular expression literal tokens, or division operators.
This fails on some valid but nonsensical JavaScript programs like
"x = ++/foo/i" which is quite different than "x++/foo/i", but is not known to
fail on any known useful programs. It is based on the draft
JavaScript 2.0 lexical grammar and requires one token of lookbehind:
https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
normalizeEscFn(a) is equal to normalizeEscFn(b) for any pair of names of
escaper functions a and b that are equivalent.
nudge returns the context that would result from following empty string
transitions from the input context.
For example, parsing:
`<a href=`
will end in context{stateBeforeValue, attrURL}, but parsing one extra rune:
`<a href=x`
will end in context{stateURL, delimSpaceOrTagEnd, ...}.
There are two transitions that happen when the 'x' is seen:
(1) Transition from a before-value state to a start-of-value state without
consuming any character.
(2) Consume 'x' and transition past the first value character.
In this case, nudging produces the context after (1) happens.
parseFiles is the helper for the method and function. If the argument
template is nil, it is created from the first file.
replace replaces each rune r of s with replacementTable[r], provided that
r < len(replacementTable). If replacementTable[r] is the empty string then
no replacement is made.
It also replaces runes U+2028 and U+2029 with the raw strings `\u2028` and
`\u2029`.
skipCSSSpace returns a suffix of c, skipping over a single space.
Filters and normalizes srcset values which are comma separated
URLs followed by metadata.
stringify converts its arguments to a string and the type of the content.
All pointers are dereferenced, as in the text/template package.
stripTags takes a snippet of HTML and returns only the text content.
For example, `<b>¡Hi!</b> <script>...</script>` -> `¡Hi! `.
tAfterName is the context transition function for stateAfterName.
tAttr is the context transition function for the attribute state.
tAttrName is the context transition function for stateAttrName.
tBeforeValue is the context transition function for stateBeforeValue.
tBlockCmt is the context transition function for /*comment*/ states.
tCSS is the context transition function for the CSS state.
tCSSStr is the context transition function for the CSS string and URL states.
tError is the context transition function for the error state.
tHTMLCmt is the context transition function for stateHTMLCmt.
tJS is the context transition function for the JS state.
tJSDelimited is the context transition function for the JS string and regexp
states.
tLineCmt is the context transition function for //comment states.
tSpecialTagEnd is the context transition function for raw text and RCDATA
element states.
tTag is the context transition function for the tag state.
tText is the context transition function for the text state.
tURL is the context transition function for the URL state.
urlEscaper produces an output that can be embedded in a URL query.
The output can be embedded in an HTML attribute without further escaping.
urlFilter returns its input unless it contains an unsafe scheme in which
case it defangs the entire URL.
Schemes that cause unintended side effects that are irreversible without user
interaction are considered unsafe. For example, clicking on a "javascript:"
link can immediately trigger JavaScript code execution.
This filter conservatively assumes that all schemes other than the following
are unsafe:
* http: Navigates to a new website, and may open a new window or tab.
These side effects can be reversed by navigating back to the
previous website, or closing the window or tab. No irreversible
changes will take place without further user interaction with
the new website.
* https: Same as http.
* mailto: Opens an email program and starts a new draft. This side effect
is not irreversible until the user explicitly clicks send; it
can be undone by closing the email program.
To allow URLs containing other schemes to bypass this filter, developers must
explicitly indicate that such a URL is expected and safe by encapsulating it
in a template.URL value.
urlNormalizer normalizes URL content so it can be embedded in a quote-delimited
string or parenthesis delimited url(...).
The normalizer does not encode all HTML specials. Specifically, it does not
encode '&' so correct embedding in an HTML attribute requires escaping of
'&' to '&'.
urlProcessor normalizes (when norm is true) or escapes its input to produce
a valid hierarchical or opaque URL part.
Package-Level Variables (total 39, none are exported)
attrTypeMap[n] describes the value of the given attribute.
If an attribute affects (or can mask) the encoding or interpretation of
other content, or affects the contents, idempotency, or credentials of a
network message, then the value in this map is contentTypeUnsafe.
This map is derived from HTML5, specifically
https://www.w3.org/TR/html5/Overview.html#attributes-1
as well as "%URI"-typed attributes from
https://www.w3.org/TR/html4/index/attributes.html
funcMap maps command names to functions that render their inputs safe.
htmlNormReplacementTable is like htmlReplacementTable but without '&' to
avoid over-encoding existing entities.
htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but
without '&' to avoid over-encoding existing entities.
htmlNospaceReplacementTable contains the runes that need to be escaped
inside an unquoted attribute value.
The set of runes escaped is the union of the HTML specials and
those determined by running the JS below in browsers:
<div id=d></div>
<script>(function () {
var a = [], d = document.getElementById("d"), i, c, s;
for (i = 0; i < 0x10000; ++i) {
c = String.fromCharCode(i);
d.innerHTML = "<span title=" + c + "lt" + c + "></span>"
s = d.getElementsByTagName("SPAN")[0];
if (!s || s.title !== c + "lt" + c) { a.push(i.toString(16)); }
}
document.write(a.join(", "));
})()</script>
htmlReplacementTable contains the runes that need to be escaped
inside a quoted attribute value or in a text node.
transitionFunc is the array of context transition functions for text nodes.
A transition function takes a context and template text input, and returns
the updated context and the number of bytes consumed from the front of the
input.
Package-Level Constants (total 76, in which 12 are exported)
ErrAmbigContext: "... appears in an ambiguous context within a URL"
Example:
<a href="
{{if .C}}
/path/
{{else}}
/search?q=
{{end}}
{{.X}}
">
Discussion:
{{.X}} is in an ambiguous URL context since, depending on {{.C}},
it may be either a URL suffix or a query parameter.
Moving {{.X}} into the condition removes the ambiguity:
<a href="{{if .C}}/path/{{.X}}{{else}}/search?q={{.X}}">
ErrBadHTML: "expected space, attr name, or end of tag, but got ...",
"... in unquoted attr", "... in attribute name"
Example:
<a href = /search?q=foo>
<href=foo>
<form na<e=...>
<option selected<
Discussion:
This is often due to a typo in an HTML element, but some runes
are banned in tag names, attribute names, and unquoted attribute
values because they can tickle parser ambiguities.
Quoting all attributes is the best policy.
ErrBranchEnd: "{{if}} branches end in different contexts"
Example:
{{if .C}}<a href="{{end}}{{.X}}
Discussion:
Package html/template statically examines each path through an
{{if}}, {{range}}, or {{with}} to escape any following pipelines.
The example is ambiguous since {{.X}} might be an HTML text node,
or a URL prefix in an HTML attribute. The context of {{.X}} is
used to figure out how to escape it, but that context depends on
the run-time value of {{.C}} which is not statically known.
The problem is usually something like missing quotes or angle
brackets, or can be avoided by refactoring to put the two contexts
into different branches of an if, range or with. If the problem
is in a {{range}} over a collection that should never be empty,
adding a dummy {{else}} can help.
ErrEndContext: "... ends in a non-text context: ..."
Examples:
<div
<div title="no close quote>
<script>f()
Discussion:
Executed templates should produce a DocumentFragment of HTML.
Templates that end without closing tags will trigger this error.
Templates that should not be used in an HTML context or that
produce incomplete Fragments should not be executed directly.
{{define "main"}} <script>{{template "helper"}}</script> {{end}}
{{define "helper"}} document.write(' <div title=" ') {{end}}
"helper" does not produce a valid document fragment, so should
not be Executed directly.
ErrNoSuchTemplate: "no such template ..."
Examples:
{{define "main"}}<div {{template "attrs"}}>{{end}}
{{define "attrs"}}href="{{.URL}}"{{end}}
Discussion:
Package html/template looks through template calls to compute the
context.
Here the {{.URL}} in "attrs" must be treated as a URL when called
from "main", but you will get this error if "attrs" is not defined
when "main" is parsed.
ErrOutputContext: "cannot compute output context for template ..."
Examples:
{{define "t"}}{{if .T}}{{template "t" .T}}{{end}}{{.H}}",{{end}}
Discussion:
A recursive template does not end in the same context in which it
starts, and a reliable output context cannot be computed.
Look for typos in the named template.
If the template should not be called in the named start context,
look for calls to that template in unexpected contexts.
Maybe refactor recursive templates to not be recursive.
ErrPartialCharset: "unfinished JS regexp charset in ..."
Example:
<script>var pattern = /foo[{{.Chars}}]/</script>
Discussion:
Package html/template does not support interpolation into regular
expression literal character sets.
ErrPartialEscape: "unfinished escape sequence in ..."
Example:
<script>alert("\{{.X}}")</script>
Discussion:
Package html/template does not support actions following a
backslash.
This is usually an error and there are better solutions; for
example
<script>alert("{{.X}}")</script>
should work, and if {{.X}} is a partial escape sequence such as
"xA0", mark the whole sequence as safe content: JSStr(`\xA0`)
ErrPredefinedEscaper: "predefined escaper ... disallowed in template"
Example:
<div class={{. | html}}>Hello<div>
Discussion:
Package html/template already contextually escapes all pipelines to
produce HTML output safe against code injection. Manually escaping
pipeline output using the predefined escapers "html" or "urlquery" is
unnecessary, and may affect the correctness or safety of the escaped
pipeline output in Go 1.8 and earlier.
In most cases, such as the given example, this error can be resolved by
simply removing the predefined escaper from the pipeline and letting the
contextual autoescaper handle the escaping of the pipeline. In other
instances, where the predefined escaper occurs in the middle of a
pipeline where subsequent commands expect escaped input, e.g.
{{.X | html | makeALink}}
where makeALink does
return `<a href="`+input+`">link</a>`
consider refactoring the surrounding template to make use of the
contextual autoescaper, i.e.
<a href="{{.X}}">link</a>
To ease migration to Go 1.9 and beyond, "html" and "urlquery" will
continue to be allowed as the last command in a pipeline. However, if the
pipeline occurs in an unquoted attribute value context, "html" is
disallowed. Avoid using "html" and "urlquery" entirely in new templates.
ErrRangeLoopReentry: "on range loop re-entry: ..."
Example:
<script>var x = [{{range .}}'{{.}},{{end}}]</script>
Discussion:
If an iteration through a range would cause it to end in a
different context than an earlier pass, there is no single context.
In the example, there is missing a quote, so it is not clear
whether {{.}} is meant to be inside a JS string or in a JS value
context. The second iteration would produce something like
<script>var x = ['firstValue,'secondValue]</script>
ErrSlashAmbig: '/' could start a division or regexp.
Example:
<script>
{{if .C}}var x = 1{{end}}
/-{{.N}}/i.test(x) ? doThis : doThat();
</script>
Discussion:
The example above could produce `var x = 1/-2/i.test(s)...`
in which the first '/' is a mathematical division operator or it
could produce `/-2/i.test(s)` in which the first '/' starts a
regexp literal.
Look for missing semicolons inside branches, and maybe add
parentheses to make it clear which interpretation you intend.
contentTypeUnsafe is used in attr.go for values that affect how
embedded content and network messages are formed, vetted,
or interpreted; or which credentials network messages carry.
delimDoubleQuote occurs when a double quote (") closes the attribute.
delimNone occurs outside any attribute.
delimSingleQuote occurs when a single quote (') closes the attribute.
delimSpaceOrTagEnd occurs when a space or right angle bracket (>)
closes the attribute.
elementNone occurs outside a special tag or special element body.
elementScript corresponds to the raw text <script> element
with JS MIME type or no type attribute.
elementStyle corresponds to the raw text <style> element.
elementTextarea corresponds to the RCDATA <textarea> element.
elementTitle corresponds to the RCDATA <title> element.
filterFailsafe is an innocuous word that is emitted in place of unsafe values
by sanitizer functions. It is not a keyword in any programming language,
contains no special characters, is not empty, and when it appears in output
it is distinct enough that a developer can find the source of the problem
via a search engine.
Derived from https://play.golang.org/p/Dhmj7FORT5
jsCtxDivOp occurs where a '/' would start a division operator.
jsCtxRegexp occurs where a '/' would start a regexp literal.
jsCtxUnknown occurs where a '/' is ambiguous due to context joining.
stateAfterName occurs after an attr name has ended but before any
equals sign. It occurs between the ^'s in ` name^ ^= value`.
stateAttr occurs inside an HTML attribute whose content is text.
stateAttrName occurs inside an attribute name.
It occurs between the ^'s in ` ^name^ = value`.
stateBeforeValue occurs after the equals sign but before the value.
It occurs between the ^'s in ` name =^ ^value`.
stateCSS occurs inside a <style> element or style attribute.
stateCSSBlockCmt occurs inside a CSS /* block comment */.
stateCSSDqStr occurs inside a CSS double quoted string.
stateCSSDqURL occurs inside a CSS double quoted url("...").
stateCSSLineCmt occurs inside a CSS // line comment.
stateCSSSqStr occurs inside a CSS single quoted string.
stateCSSSqURL occurs inside a CSS single quoted url('...').
stateCSSURL occurs inside a CSS unquoted url(...).
stateError is an infectious error state outside any valid
HTML/CSS/JS construct.
stateHTMLCmt occurs inside an <!-- HTML comment -->.
stateJS occurs inside an event handler or script element.
stateJSBlockCmt occurs inside a JavaScript /* block comment */.
stateJSDqStr occurs inside a JavaScript double quoted string.
stateJSLineCmt occurs inside a JavaScript // line comment.
stateJSRegexp occurs inside a JavaScript regexp literal.
stateJSSqStr occurs inside a JavaScript single quoted string.
stateRCDATA occurs inside an RCDATA element (<textarea> or <title>)
as described at https://www.w3.org/TR/html5/syntax.html#elements-0
stateSrcset occurs inside an HTML srcset attribute.
stateTag occurs before an HTML attribute or the end of a tag.
stateText is parsed character data. An HTML parser is in
this state when its parse position is outside an HTML tag,
directive, comment, and special element body.
stateURL occurs inside an HTML attribute whose content is a URL.
urlPartNone occurs when not in a URL, or possibly at the start:
^ in "^http://auth/path?k=v#frag".
urlPartPreQuery occurs in the scheme, authority, or path; between the
^s in "h^ttp://auth/path^?k=v#frag".
urlPartQueryOrFrag occurs in the query portion between the ^s in
"http://auth/path?^k=v#frag^".
urlPartUnknown occurs due to joining of contexts both before and
after the query separator.
The pages are generated with Goldsv0.3.2. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
