html.go (7437B)
1 // Copyright 2011 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package template 6 7 import ( 8 "bytes" 9 "fmt" 10 "strings" 11 "unicode/utf8" 12 ) 13 14 // htmlNospaceEscaper escapes for inclusion in unquoted attribute values. 15 func htmlNospaceEscaper(args ...any) string { 16 s, t := stringify(args...) 17 if t == contentTypeHTML { 18 return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false) 19 } 20 return htmlReplacer(s, htmlNospaceReplacementTable, false) 21 } 22 23 // attrEscaper escapes for inclusion in quoted attribute values. 24 func attrEscaper(args ...any) string { 25 s, t := stringify(args...) 26 if t == contentTypeHTML { 27 return htmlReplacer(stripTags(s), htmlNormReplacementTable, true) 28 } 29 return htmlReplacer(s, htmlReplacementTable, true) 30 } 31 32 // rcdataEscaper escapes for inclusion in an RCDATA element body. 33 func rcdataEscaper(args ...any) string { 34 s, t := stringify(args...) 35 if t == contentTypeHTML { 36 return htmlReplacer(s, htmlNormReplacementTable, true) 37 } 38 return htmlReplacer(s, htmlReplacementTable, true) 39 } 40 41 // htmlEscaper escapes for inclusion in HTML text. 42 func htmlEscaper(args ...any) string { 43 s, t := stringify(args...) 44 if t == contentTypeHTML { 45 return s 46 } 47 return htmlReplacer(s, htmlReplacementTable, true) 48 } 49 50 // htmlReplacementTable contains the runes that need to be escaped 51 // inside a quoted attribute value or in a text node. 52 var htmlReplacementTable = []string{ 53 // https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state 54 // U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT 55 // CHARACTER character to the current attribute's value. 56 // " 57 // and similarly 58 // https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state 59 0: "\uFFFD", 60 '"': """, 61 '&': "&", 62 '\'': "'", 63 '+': "+", 64 '<': "<", 65 '>': ">", 66 } 67 68 // htmlNormReplacementTable is like htmlReplacementTable but without '&' to 69 // avoid over-encoding existing entities. 70 var htmlNormReplacementTable = []string{ 71 0: "\uFFFD", 72 '"': """, 73 '\'': "'", 74 '+': "+", 75 '<': "<", 76 '>': ">", 77 } 78 79 // htmlNospaceReplacementTable contains the runes that need to be escaped 80 // inside an unquoted attribute value. 81 // The set of runes escaped is the union of the HTML specials and 82 // those determined by running the JS below in browsers: 83 // <div id=d></div> 84 // <script>(function () { 85 // var a = [], d = document.getElementById("d"), i, c, s; 86 // for (i = 0; i < 0x10000; ++i) { 87 // c = String.fromCharCode(i); 88 // d.innerHTML = "<span title=" + c + "lt" + c + "></span>" 89 // s = d.getElementsByTagName("SPAN")[0]; 90 // if (!s || s.title !== c + "lt" + c) { a.push(i.toString(16)); } 91 // } 92 // document.write(a.join(", ")); 93 // })()</script> 94 var htmlNospaceReplacementTable = []string{ 95 0: "�", 96 '\t': "	", 97 '\n': " ", 98 '\v': "", 99 '\f': "", 100 '\r': " ", 101 ' ': " ", 102 '"': """, 103 '&': "&", 104 '\'': "'", 105 '+': "+", 106 '<': "<", 107 '=': "=", 108 '>': ">", 109 // A parse error in the attribute value (unquoted) and 110 // before attribute value states. 111 // Treated as a quoting character by IE. 112 '`': "`", 113 } 114 115 // htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but 116 // without '&' to avoid over-encoding existing entities. 117 var htmlNospaceNormReplacementTable = []string{ 118 0: "�", 119 '\t': "	", 120 '\n': " ", 121 '\v': "", 122 '\f': "", 123 '\r': " ", 124 ' ': " ", 125 '"': """, 126 '\'': "'", 127 '+': "+", 128 '<': "<", 129 '=': "=", 130 '>': ">", 131 // A parse error in the attribute value (unquoted) and 132 // before attribute value states. 133 // Treated as a quoting character by IE. 134 '`': "`", 135 } 136 137 // htmlReplacer returns s with runes replaced according to replacementTable 138 // and when badRunes is true, certain bad runes are allowed through unescaped. 139 func htmlReplacer(s string, replacementTable []string, badRunes bool) string { 140 written, b := 0, new(strings.Builder) 141 r, w := rune(0), 0 142 for i := 0; i < len(s); i += w { 143 // Cannot use 'for range s' because we need to preserve the width 144 // of the runes in the input. If we see a decoding error, the input 145 // width will not be utf8.Runelen(r) and we will overrun the buffer. 146 r, w = utf8.DecodeRuneInString(s[i:]) 147 if int(r) < len(replacementTable) { 148 if repl := replacementTable[r]; len(repl) != 0 { 149 if written == 0 { 150 b.Grow(len(s)) 151 } 152 b.WriteString(s[written:i]) 153 b.WriteString(repl) 154 written = i + w 155 } 156 } else if badRunes { 157 // No-op. 158 // IE does not allow these ranges in unquoted attrs. 159 } else if 0xfdd0 <= r && r <= 0xfdef || 0xfff0 <= r && r <= 0xffff { 160 if written == 0 { 161 b.Grow(len(s)) 162 } 163 fmt.Fprintf(b, "%s&#x%x;", s[written:i], r) 164 written = i + w 165 } 166 } 167 if written == 0 { 168 return s 169 } 170 b.WriteString(s[written:]) 171 return b.String() 172 } 173 174 // stripTags takes a snippet of HTML and returns only the text content. 175 // For example, `<b>¡Hi!</b> <script>...</script>` -> `¡Hi! `. 176 func stripTags(html string) string { 177 var b bytes.Buffer 178 s, c, i, allText := []byte(html), context{}, 0, true 179 // Using the transition funcs helps us avoid mangling 180 // `<div title="1>2">` or `I <3 Ponies!`. 181 for i != len(s) { 182 if c.delim == delimNone { 183 st := c.state 184 // Use RCDATA instead of parsing into JS or CSS styles. 185 if c.element != elementNone && !isInTag(st) { 186 st = stateRCDATA 187 } 188 d, nread := transitionFunc[st](c, s[i:]) 189 i1 := i + nread 190 if c.state == stateText || c.state == stateRCDATA { 191 // Emit text up to the start of the tag or comment. 192 j := i1 193 if d.state != c.state { 194 for j1 := j - 1; j1 >= i; j1-- { 195 if s[j1] == '<' { 196 j = j1 197 break 198 } 199 } 200 } 201 b.Write(s[i:j]) 202 } else { 203 allText = false 204 } 205 c, i = d, i1 206 continue 207 } 208 i1 := i + bytes.IndexAny(s[i:], delimEnds[c.delim]) 209 if i1 < i { 210 break 211 } 212 if c.delim != delimSpaceOrTagEnd { 213 // Consume any quote. 214 i1++ 215 } 216 c, i = context{state: stateTag, element: c.element}, i1 217 } 218 if allText { 219 return html 220 } else if c.state == stateText || c.state == stateRCDATA { 221 b.Write(s[i:]) 222 } 223 return b.String() 224 } 225 226 // htmlNameFilter accepts valid parts of an HTML attribute or tag name or 227 // a known-safe HTML attribute. 228 func htmlNameFilter(args ...any) string { 229 s, t := stringify(args...) 230 if t == contentTypeHTMLAttr { 231 return s 232 } 233 if len(s) == 0 { 234 // Avoid violation of structure preservation. 235 // <input checked {{.K}}={{.V}}>. 236 // Without this, if .K is empty then .V is the value of 237 // checked, but otherwise .V is the value of the attribute 238 // named .K. 239 return filterFailsafe 240 } 241 s = strings.ToLower(s) 242 if t := attrType(s); t != contentTypePlain { 243 // TODO: Split attr and element name part filters so we can recognize known attributes. 244 return filterFailsafe 245 } 246 for _, r := range s { 247 switch { 248 case '0' <= r && r <= '9': 249 case 'a' <= r && r <= 'z': 250 default: 251 return filterFailsafe 252 } 253 } 254 return s 255 } 256 257 // commentEscaper returns the empty string regardless of input. 258 // Comment content does not correspond to any parsed structure or 259 // human-readable content, so the simplest and most secure policy is to drop 260 // content interpolated into comments. 261 // This approach is equally valid whether or not static comment content is 262 // removed from the template. 263 func commentEscaper(args ...any) string { 264 return "" 265 }