blob: e0e87b98d043fdfe8aa22b2177c576e8be0825de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package html is a specialization of exp/template that automates the
// construction of safe HTML output.
// At the moment, the escaping is naive. All dynamic content is assumed to be
// plain text interpolated in an HTML PCDATA context.
package html
import (
"template"
"template/parse"
)
// Escape rewrites each action in the template to guarantee the output is
// HTML-escaped.
func Escape(t *template.Template) {
// If the parser shares trees based on common-subexpression
// joining then we will need to avoid multiply escaping the same action.
escapeListNode(t.Tree.Root)
}
// escapeNode dispatches to escape<NodeType> helpers by type.
func escapeNode(node parse.Node) {
switch n := node.(type) {
case *parse.ListNode:
escapeListNode(n)
case *parse.TextNode:
// Nothing to do.
case *parse.ActionNode:
escapeActionNode(n)
case *parse.IfNode:
escapeIfNode(n)
case *parse.RangeNode:
escapeRangeNode(n)
case *parse.TemplateNode:
// Nothing to do.
case *parse.WithNode:
escapeWithNode(n)
default:
panic("handling for " + node.String() + " not implemented")
// TODO: Handle other inner node types.
}
}
// escapeListNode recursively escapes its input's children.
func escapeListNode(node *parse.ListNode) {
if node == nil {
return
}
children := node.Nodes
for _, child := range children {
escapeNode(child)
}
}
// escapeActionNode adds a pipeline call to the end that escapes the result
// of the expression before it is interpolated into the template output.
func escapeActionNode(node *parse.ActionNode) {
pipe := node.Pipe
cmds := pipe.Cmds
nCmds := len(cmds)
// If it already has an escaping command, do not interfere.
if nCmds != 0 {
if lastCmd := cmds[nCmds-1]; len(lastCmd.Args) != 0 {
// TODO: Recognize url and js as escaping functions once
// we have enough context to know whether additional
// escaping is necessary.
if arg, ok := lastCmd.Args[0].(*parse.IdentifierNode); ok && arg.Ident == "html" {
return
}
}
}
htmlEscapeCommand := parse.CommandNode{
NodeType: parse.NodeCommand,
Args: []parse.Node{parse.NewIdentifier("html")},
}
node.Pipe.Cmds = append(node.Pipe.Cmds, &htmlEscapeCommand)
}
// escapeIfNode recursively escapes the if and then clauses but leaves the
// condition unchanged.
func escapeIfNode(node *parse.IfNode) {
escapeListNode(node.List)
escapeListNode(node.ElseList)
}
// escapeRangeNode recursively escapes the loop body and else clause but
// leaves the series unchanged.
func escapeRangeNode(node *parse.RangeNode) {
escapeListNode(node.List)
escapeListNode(node.ElseList)
}
// escapeWithNode recursively escapes the scope body and else clause but
// leaves the pipeline unchanged.
func escapeWithNode(node *parse.WithNode) {
escapeListNode(node.List)
escapeListNode(node.ElseList)
}
|
