diff options
| author | Ian Lance Taylor <ian@gcc.gnu.org> | 2012-03-06 17:57:23 +0000 |
|---|---|---|
| committer | Ian Lance Taylor <ian@gcc.gnu.org> | 2012-03-06 17:57:23 +0000 |
| commit | 593f74bbab63d34c7060918088bcbad686c31c66 (patch) | |
| tree | 4ce83ca433796a728e9fdd00af105bce158532b5 /libgo/go/html | |
| parent | 46402cbe0ba3ea92be9642cf18eedaefe57a414c (diff) | |
| download | gcc-593f74bbab63d34c7060918088bcbad686c31c66.zip gcc-593f74bbab63d34c7060918088bcbad686c31c66.tar.gz gcc-593f74bbab63d34c7060918088bcbad686c31c66.tar.bz2 | |
libgo: Update to weekly.2012-03-04 release.
From-SVN: r185010
Diffstat (limited to 'libgo/go/html')
| -rw-r--r-- | libgo/go/html/template/doc.go | 2 | ||||
| -rw-r--r-- | libgo/go/html/template/escape.go | 2 | ||||
| -rw-r--r-- | libgo/go/html/template/escape_test.go | 11 | ||||
| -rw-r--r-- | libgo/go/html/template/html.go | 2 |
4 files changed, 11 insertions, 6 deletions
diff --git a/libgo/go/html/template/doc.go b/libgo/go/html/template/doc.go index 7f60f3b..3699ea1 100644 --- a/libgo/go/html/template/doc.go +++ b/libgo/go/html/template/doc.go @@ -19,7 +19,7 @@ to parse and execute HTML templates safely. tmpl, err := template.New("name").Parse(...) // Error checking elided - err = tmpl.Execute(out, "Foo", data) + err = tmpl.Execute(out, data) If successful, tmpl will now be injection-safe. Otherwise, err is an error defined in the docs for ErrorCode. diff --git a/libgo/go/html/template/escape.go b/libgo/go/html/template/escape.go index 02fa3ea..a058e20 100644 --- a/libgo/go/html/template/escape.go +++ b/libgo/go/html/template/escape.go @@ -593,7 +593,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { } } for j := i; j < end; j++ { - if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) { + if s[j] == '<' && !bytes.HasPrefix(bytes.ToUpper(s[j:]), doctypeBytes) { b.Write(s[written:j]) b.WriteString("<") written = j + 1 diff --git a/libgo/go/html/template/escape_test.go b/libgo/go/html/template/escape_test.go index 70cada3..2bbb1b1 100644 --- a/libgo/go/html/template/escape_test.go +++ b/libgo/go/html/template/escape_test.go @@ -223,14 +223,14 @@ func TestEscape(t *testing.T) { `<button onclick='alert("\x3cHello\x3e")'>`, }, { - "badMarshaller", + "badMarshaler", `<button onclick='alert(1/{{.B}}in numbers)'>`, `<button onclick='alert(1/ /* json: error calling MarshalJSON for type *template.badMarshaler: invalid character 'f' looking for beginning of object key string */null in numbers)'>`, }, { - "jsMarshaller", + "jsMarshaler", `<button onclick='alert({{.M}})'>`, - `<button onclick='alert({"<foo>":"O'Reilly"})'>`, + `<button onclick='alert({"\u003cfoo\u003e":"O'Reilly"})'>`, }, { "jsStrNotUnderEscaped", @@ -432,6 +432,11 @@ func TestEscape(t *testing.T) { "<!DOCTYPE html>Hello, World!", }, { + "HTML doctype not case-insensitive", + "<!doCtYPE htMl>Hello, World!", + "<!doCtYPE htMl>Hello, World!", + }, + { "No doctype injection", `<!{{"DOCTYPE"}}`, "<!DOCTYPE", diff --git a/libgo/go/html/template/html.go b/libgo/go/html/template/html.go index 7b77d65..36c88e2 100644 --- a/libgo/go/html/template/html.go +++ b/libgo/go/html/template/html.go @@ -134,7 +134,7 @@ var htmlNospaceNormReplacementTable = []string{ '`': "`", } -// htmlReplacer returns s with runes replaced acccording to replacementTable +// htmlReplacer returns s with runes replaced according to replacementTable // and when badRunes is true, certain bad runes are allowed through unescaped. func htmlReplacer(s string, replacementTable []string, badRunes bool) string { written, b := 0, new(bytes.Buffer) |