diff options
author | Ian Lance Taylor <iant@golang.org> | 2018-01-09 01:23:08 +0000 |
---|---|---|
committer | Ian Lance Taylor <ian@gcc.gnu.org> | 2018-01-09 01:23:08 +0000 |
commit | 1a2f01efa63036a5104f203a4789e682c0e0915d (patch) | |
tree | 373e15778dc8295354584e1f86915ae493b604ff /libgo/go/html | |
parent | 8799df67f2dab88f9fda11739c501780a85575e2 (diff) | |
download | gcc-1a2f01efa63036a5104f203a4789e682c0e0915d.zip gcc-1a2f01efa63036a5104f203a4789e682c0e0915d.tar.gz gcc-1a2f01efa63036a5104f203a4789e682c0e0915d.tar.bz2 |
libgo: update to Go1.10beta1
Update the Go library to the 1.10beta1 release.
Requires a few changes to the compiler for modifications to the map
runtime code, and to handle some nowritebarrier cases in the runtime.
Reviewed-on: https://go-review.googlesource.com/86455
gotools/:
* Makefile.am (go_cmd_vet_files): New variable.
(go_cmd_buildid_files, go_cmd_test2json_files): New variables.
(s-zdefaultcc): Change from constants to functions.
(noinst_PROGRAMS): Add vet, buildid, and test2json.
(cgo$(EXEEXT)): Link against $(LIBGOTOOL).
(vet$(EXEEXT)): New target.
(buildid$(EXEEXT)): New target.
(test2json$(EXEEXT)): New target.
(install-exec-local): Install all $(noinst_PROGRAMS).
(uninstall-local): Uninstasll all $(noinst_PROGRAMS).
(check-go-tool): Depend on $(noinst_PROGRAMS). Copy down
objabi.go.
(check-runtime): Depend on $(noinst_PROGRAMS).
(check-cgo-test, check-carchive-test): Likewise.
(check-vet): New target.
(check): Depend on check-vet. Look at cmd_vet-testlog.
(.PHONY): Add check-vet.
* Makefile.in: Rebuild.
From-SVN: r256365
Diffstat (limited to 'libgo/go/html')
-rw-r--r-- | libgo/go/html/entity.go | 2 | ||||
-rw-r--r-- | libgo/go/html/template/escape_test.go | 21 | ||||
-rw-r--r-- | libgo/go/html/template/template.go | 5 | ||||
-rw-r--r-- | libgo/go/html/template/url.go | 22 |
4 files changed, 44 insertions, 6 deletions
diff --git a/libgo/go/html/entity.go b/libgo/go/html/entity.go index af8a007..dfeaf6c 100644 --- a/libgo/go/html/entity.go +++ b/libgo/go/html/entity.go @@ -8,7 +8,7 @@ package html const longestEntityWithoutSemicolon = 6 // entity is a map from HTML entity names to their values. The semicolon matters: -// http://www.whatwg.org/specs/web-apps/current-work/multipage/named-character-references.html +// https://html.spec.whatwg.org/multipage/named-characters.html // lists both "amp" and "amp;" as two separate entries. // // Note that the HTML5 list is larger than the HTML4 list at diff --git a/libgo/go/html/template/escape_test.go b/libgo/go/html/template/escape_test.go index f5a4ce1..92f12ca 100644 --- a/libgo/go/html/template/escape_test.go +++ b/libgo/go/html/template/escape_test.go @@ -1840,7 +1840,7 @@ func TestErrorOnUndefined(t *testing.T) { err := tmpl.Execute(nil, nil) if err == nil { - t.Error("expected error") + t.Fatal("expected error") } if !strings.Contains(err.Error(), "incomplete") { t.Errorf("expected error about incomplete template; got %s", err) @@ -1860,10 +1860,10 @@ func TestIdempotentExecute(t *testing.T) { for i := 0; i < 2; i++ { err = tmpl.ExecuteTemplate(got, "hello", nil) if err != nil { - t.Errorf("unexpected error: %s", err) + t.Fatalf("unexpected error: %s", err) } if got.String() != want { - t.Errorf("after executing template \"hello\", got:\n\t%q\nwant:\n\t%q\n", got.String(), want) + t.Fatalf("after executing template \"hello\", got:\n\t%q\nwant:\n\t%q\n", got.String(), want) } got.Reset() } @@ -1871,7 +1871,7 @@ func TestIdempotentExecute(t *testing.T) { // "main" does not cause the output of "hello" to change. err = tmpl.ExecuteTemplate(got, "main", nil) if err != nil { - t.Errorf("unexpected error: %s", err) + t.Fatalf("unexpected error: %s", err) } // If the HTML escaper is added again to the action {{"Ladies & Gentlemen!"}}, // we would expected to see the ampersand overescaped to "&amp;". @@ -1881,6 +1881,19 @@ func TestIdempotentExecute(t *testing.T) { } } +// This covers issue #21844. +func TestAddExistingTreeError(t *testing.T) { + tmpl := Must(New("foo").Parse(`<p>{{.}}</p>`)) + tmpl, err := tmpl.AddParseTree("bar", tmpl.Tree) + if err == nil { + t.Fatalf("expected error after AddParseTree") + } + const want = `html/template: cannot add parse tree that template "foo" already references` + if got := err.Error(); got != want { + t.Errorf("got error:\n\t%q\nwant:\n\t%q\n", got, want) + } +} + func BenchmarkEscapedExecute(b *testing.B) { tmpl := Must(New("t").Parse(`<a onclick="alert('{{.}}')">{{.}}</a>`)) var buf bytes.Buffer diff --git a/libgo/go/html/template/template.go b/libgo/go/html/template/template.go index 6a661bf..d77aa3d 100644 --- a/libgo/go/html/template/template.go +++ b/libgo/go/html/template/template.go @@ -219,6 +219,11 @@ func (t *Template) AddParseTree(name string, tree *parse.Tree) (*Template, error t.nameSpace.mu.Lock() defer t.nameSpace.mu.Unlock() + for _, tmpl := range t.set { + if tmpl.Tree == tree { + return nil, fmt.Errorf("html/template: cannot add parse tree that template %q already references", tmpl.Name()) + } + } text, err := t.text.AddParseTree(name, tree) if err != nil { return nil, err diff --git a/libgo/go/html/template/url.go b/libgo/go/html/template/url.go index 02123b2..a0bfe76 100644 --- a/libgo/go/html/template/url.go +++ b/libgo/go/html/template/url.go @@ -10,8 +10,28 @@ import ( "strings" ) -// urlFilter returns its input unless it contains an unsafe protocol in which +// urlFilter returns its input unless it contains an unsafe scheme in which // case it defangs the entire URL. +// +// Schemes that cause unintended side effects that are irreversible without user +// interaction are considered unsafe. For example, clicking on a "javascript:" +// link can immediately trigger JavaScript code execution. +// +// This filter conservatively assumes that all schemes other than the following +// are unsafe: +// * http: Navigates to a new website, and may open a new window or tab. +// These side effects can be reversed by navigating back to the +// previous website, or closing the window or tab. No irreversible +// changes will take place without further user interaction with +// the new website. +// * https: Same as http. +// * mailto: Opens an email program and starts a new draft. This side effect +// is not irreversible until the user explicitly clicks send; it +// can be undone by closing the email program. +// +// To allow URLs containing other schemes to bypass this filter, developers must +// explicitly indicate that such a URL is expected and safe by encapsulating it +// in a template.URL value. func urlFilter(args ...interface{}) string { s, t := stringify(args...) if t == contentTypeURL { |