hugo

Fork of github.com/gohugoio/hugo with reverse pagination support

git clone git://git.shimmy1996.com/hugo.git

attr.go (6371B)

    1 // Copyright 2011 The Go Authors. All rights reserved.
    2 // Use of this source code is governed by a BSD-style
    3 // license that can be found in the LICENSE file.
    4 
    5 package template
    6 
    7 import (
    8 	"strings"
    9 )
   10 
   11 // attrTypeMap[n] describes the value of the given attribute.
   12 // If an attribute affects (or can mask) the encoding or interpretation of
   13 // other content, or affects the contents, idempotency, or credentials of a
   14 // network message, then the value in this map is contentTypeUnsafe.
   15 // This map is derived from HTML5, specifically
   16 // https://www.w3.org/TR/html5/Overview.html#attributes-1
   17 // as well as "%URI"-typed attributes from
   18 // https://www.w3.org/TR/html4/index/attributes.html
   19 var attrTypeMap = map[string]contentType{
   20 	"accept":          contentTypePlain,
   21 	"accept-charset":  contentTypeUnsafe,
   22 	"action":          contentTypeURL,
   23 	"alt":             contentTypePlain,
   24 	"archive":         contentTypeURL,
   25 	"async":           contentTypeUnsafe,
   26 	"autocomplete":    contentTypePlain,
   27 	"autofocus":       contentTypePlain,
   28 	"autoplay":        contentTypePlain,
   29 	"background":      contentTypeURL,
   30 	"border":          contentTypePlain,
   31 	"checked":         contentTypePlain,
   32 	"cite":            contentTypeURL,
   33 	"challenge":       contentTypeUnsafe,
   34 	"charset":         contentTypeUnsafe,
   35 	"class":           contentTypePlain,
   36 	"classid":         contentTypeURL,
   37 	"codebase":        contentTypeURL,
   38 	"cols":            contentTypePlain,
   39 	"colspan":         contentTypePlain,
   40 	"content":         contentTypeUnsafe,
   41 	"contenteditable": contentTypePlain,
   42 	"contextmenu":     contentTypePlain,
   43 	"controls":        contentTypePlain,
   44 	"coords":          contentTypePlain,
   45 	"crossorigin":     contentTypeUnsafe,
   46 	"data":            contentTypeURL,
   47 	"datetime":        contentTypePlain,
   48 	"default":         contentTypePlain,
   49 	"defer":           contentTypeUnsafe,
   50 	"dir":             contentTypePlain,
   51 	"dirname":         contentTypePlain,
   52 	"disabled":        contentTypePlain,
   53 	"draggable":       contentTypePlain,
   54 	"dropzone":        contentTypePlain,
   55 	"enctype":         contentTypeUnsafe,
   56 	"for":             contentTypePlain,
   57 	"form":            contentTypeUnsafe,
   58 	"formaction":      contentTypeURL,
   59 	"formenctype":     contentTypeUnsafe,
   60 	"formmethod":      contentTypeUnsafe,
   61 	"formnovalidate":  contentTypeUnsafe,
   62 	"formtarget":      contentTypePlain,
   63 	"headers":         contentTypePlain,
   64 	"height":          contentTypePlain,
   65 	"hidden":          contentTypePlain,
   66 	"high":            contentTypePlain,
   67 	"href":            contentTypeURL,
   68 	"hreflang":        contentTypePlain,
   69 	"http-equiv":      contentTypeUnsafe,
   70 	"icon":            contentTypeURL,
   71 	"id":              contentTypePlain,
   72 	"ismap":           contentTypePlain,
   73 	"keytype":         contentTypeUnsafe,
   74 	"kind":            contentTypePlain,
   75 	"label":           contentTypePlain,
   76 	"lang":            contentTypePlain,
   77 	"language":        contentTypeUnsafe,
   78 	"list":            contentTypePlain,
   79 	"longdesc":        contentTypeURL,
   80 	"loop":            contentTypePlain,
   81 	"low":             contentTypePlain,
   82 	"manifest":        contentTypeURL,
   83 	"max":             contentTypePlain,
   84 	"maxlength":       contentTypePlain,
   85 	"media":           contentTypePlain,
   86 	"mediagroup":      contentTypePlain,
   87 	"method":          contentTypeUnsafe,
   88 	"min":             contentTypePlain,
   89 	"multiple":        contentTypePlain,
   90 	"name":            contentTypePlain,
   91 	"novalidate":      contentTypeUnsafe,
   92 	// Skip handler names from
   93 	// https://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
   94 	// since we have special handling in attrType.
   95 	"open":        contentTypePlain,
   96 	"optimum":     contentTypePlain,
   97 	"pattern":     contentTypeUnsafe,
   98 	"placeholder": contentTypePlain,
   99 	"poster":      contentTypeURL,
  100 	"profile":     contentTypeURL,
  101 	"preload":     contentTypePlain,
  102 	"pubdate":     contentTypePlain,
  103 	"radiogroup":  contentTypePlain,
  104 	"readonly":    contentTypePlain,
  105 	"rel":         contentTypeUnsafe,
  106 	"required":    contentTypePlain,
  107 	"reversed":    contentTypePlain,
  108 	"rows":        contentTypePlain,
  109 	"rowspan":     contentTypePlain,
  110 	"sandbox":     contentTypeUnsafe,
  111 	"spellcheck":  contentTypePlain,
  112 	"scope":       contentTypePlain,
  113 	"scoped":      contentTypePlain,
  114 	"seamless":    contentTypePlain,
  115 	"selected":    contentTypePlain,
  116 	"shape":       contentTypePlain,
  117 	"size":        contentTypePlain,
  118 	"sizes":       contentTypePlain,
  119 	"span":        contentTypePlain,
  120 	"src":         contentTypeURL,
  121 	"srcdoc":      contentTypeHTML,
  122 	"srclang":     contentTypePlain,
  123 	"srcset":      contentTypeSrcset,
  124 	"start":       contentTypePlain,
  125 	"step":        contentTypePlain,
  126 	"style":       contentTypeCSS,
  127 	"tabindex":    contentTypePlain,
  128 	"target":      contentTypePlain,
  129 	"title":       contentTypePlain,
  130 	"type":        contentTypeUnsafe,
  131 	"usemap":      contentTypeURL,
  132 	"value":       contentTypeUnsafe,
  133 	"width":       contentTypePlain,
  134 	"wrap":        contentTypePlain,
  135 	"xmlns":       contentTypeURL,
  136 }
  137 
  138 // attrType returns a conservative (upper-bound on authority) guess at the
  139 // type of the lowercase named attribute.
  140 func attrType(name string) contentType {
  141 	if strings.HasPrefix(name, "data-") {
  142 		// Strip data- so that custom attribute heuristics below are
  143 		// widely applied.
  144 		// Treat data-action as URL below.
  145 		name = name[5:]
  146 	} else if prefix, short, ok := strings.Cut(name, ":"); ok {
  147 		if prefix == "xmlns" {
  148 			return contentTypeURL
  149 		}
  150 		// Treat svg:href and xlink:href as href below.
  151 		name = short
  152 	}
  153 	if t, ok := attrTypeMap[name]; ok {
  154 		return t
  155 	}
  156 	// Treat partial event handler names as script.
  157 	if strings.HasPrefix(name, "on") {
  158 		return contentTypeJS
  159 	}
  160 
  161 	// Heuristics to prevent "javascript:..." injection in custom
  162 	// data attributes and custom attributes like g:tweetUrl.
  163 	// https://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes
  164 	// "Custom data attributes are intended to store custom data
  165 	//  private to the page or application, for which there are no
  166 	//  more appropriate attributes or elements."
  167 	// Developers seem to store URL content in data URLs that start
  168 	// or end with "URI" or "URL".
  169 	if strings.Contains(name, "src") ||
  170 		strings.Contains(name, "uri") ||
  171 		strings.Contains(name, "url") {
  172 		return contentTypeURL
  173 	}
  174 	return contentTypePlain
  175 }