diff options
| author | Russ Cox <rsc@golang.org> | 2013-08-09 18:33:57 -0400 |
|---|---|---|
| committer | Russ Cox <rsc@golang.org> | 2013-08-09 18:33:57 -0400 |
| commit | 080e00d55d37be67be30e2723233594e64097edf (patch) | |
| tree | 5352fd9e86da09b41220317b99f1ee0f0f142de2 /src/pkg/html | |
| parent | 36f223dace5dcdb7afc381c51e0484ff473e2e88 (diff) | |
| download | go-080e00d55d37be67be30e2723233594e64097edf.tar.xz | |
encoding/json: escape & always
There are a few different places in the code that escape
possibly-problematic characters like < > and &.
This one was the only one missing &, so add it.
This means that if you Marshal a string, you get the
same answer you do if you Marshal a string and
pass it through the compactor. (Ironically, the
compaction makes the string longer.)
Because html/template invokes json.Marshal to
prepare escaped strings for JavaScript, this changes
the form of some of the escaped strings, but not
their meaning.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/12708044
Diffstat (limited to 'src/pkg/html')
| -rw-r--r-- | src/pkg/html/template/content_test.go | 12 | ||||
| -rw-r--r-- | src/pkg/html/template/escape_test.go | 2 |
2 files changed, 7 insertions, 7 deletions
diff --git a/src/pkg/html/template/content_test.go b/src/pkg/html/template/content_test.go index 5e130faacb..5f3ffe2d32 100644 --- a/src/pkg/html/template/content_test.go +++ b/src/pkg/html/template/content_test.go @@ -123,29 +123,29 @@ func TestTypedContent(t *testing.T) { { `<script>alert({{.}})</script>`, []string{ - `"\u003cb\u003e \"foo%\" O'Reilly &bar;"`, + `"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`, `"a[href =~ \"//example.com\"]#foo"`, - `"Hello, \u003cb\u003eWorld\u003c/b\u003e &tc!"`, + `"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`, `" dir=\"ltr\""`, // Not escaped. `c && alert("Hello, World!");`, // Escape sequence not over-escaped. `"Hello, World & O'Reilly\x21"`, - `"greeting=H%69&addressee=(World)"`, + `"greeting=H%69\u0026addressee=(World)"`, }, }, { `<button onclick="alert({{.}})">`, []string{ - `"\u003cb\u003e \"foo%\" O'Reilly &bar;"`, + `"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`, `"a[href =~ \"//example.com\"]#foo"`, - `"Hello, \u003cb\u003eWorld\u003c/b\u003e &amp;tc!"`, + `"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`, `" dir=\"ltr\""`, // Not JS escaped but HTML escaped. `c && alert("Hello, World!");`, // Escape sequence not over-escaped. `"Hello, World & O'Reilly\x21"`, - `"greeting=H%69&addressee=(World)"`, + `"greeting=H%69\u0026addressee=(World)"`, }, }, { diff --git a/src/pkg/html/template/escape_test.go b/src/pkg/html/template/escape_test.go index de3659ba8f..4c349d9618 100644 --- a/src/pkg/html/template/escape_test.go +++ b/src/pkg/html/template/escape_test.go @@ -538,7 +538,7 @@ func TestEscape(t *testing.T) { { "typed HTML in script", `<button onclick="alert({{.W}})">`, - `<button onclick="alert("&iexcl;\u003cb class=\"foo\"\u003eHello\u003c/b\u003e, \u003ctextarea\u003eO'World\u003c/textarea\u003e!")">`, + `<button onclick="alert("\u0026iexcl;\u003cb class=\"foo\"\u003eHello\u003c/b\u003e, \u003ctextarea\u003eO'World\u003c/textarea\u003e!")">`, }, { "typed HTML in RCDATA", |