aboutsummaryrefslogtreecommitdiff
path: root/src/html/template/escape.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/html/template/escape.go')
-rw-r--r--src/html/template/escape.go14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/html/template/escape.go b/src/html/template/escape.go
index 1f963e61b4..d8e1b8cb54 100644
--- a/src/html/template/escape.go
+++ b/src/html/template/escape.go
@@ -166,6 +166,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp")
+var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape")
+
// escapeAction escapes an action template node.
func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
if len(n.Pipe.Decl) != 0 {
@@ -223,6 +225,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
default:
panic(c.urlPart.String())
}
+ case stateMetaContent:
+ // Handled below in delim check.
+ case stateMetaContentURL:
+ if htmlmetacontenturlescape.Value() != "0" {
+ s = append(s, "_html_template_urlfilter")
+ } else {
+ // We don't have a great place to increment this, since it's hard to
+ // know if we actually escape any urls in _html_template_urlfilter,
+ // since it has no information about what context it is being
+ // executed in etc. This is probably the best we can do.
+ htmlmetacontenturlescape.IncNonDefault()
+ }
case stateJS:
s = append(s, "_html_template_jsvalescaper")
// A slash after a value starts a div operator.
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 04:06:42 +0000