aboutsummaryrefslogtreecommitdiff
path: root/src/html/template/css.go
AgeCommit message (Collapse)Author
2023-05-02html/template: disallow angle brackets in CSS valuesRoland Shoemaker
Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #59720 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2021-12-13all: gofmt -w -r 'interface{} -> any' srcRuss Cox
And then revert the bootstrap cmd directories and certain testdata. And adjust tests as needed. Not reverting the changes in std that are bootstrapped, because some of those changes would appear in API docs, and we want to use any consistently. Instead, rewrite 'any' to 'interface{}' in cmd/dist for those directories when preparing the bootstrap copy. A few files changed as a result of running gofmt -w not because of interface{} -> any but because they hadn't been updated for the new //go:build lines. Fixes #49884. Change-Id: Ie8045cba995f65bd79c694ec77a1b3d1fe01bb09 Reviewed-on: https://go-review.googlesource.com/c/go/+/368254 Trust: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Robert Griesemer <gri@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2019-02-26html/template: use strings.BuilderJosh Bleecher Snyder
...and size initial buffers more accurately. Easy pickings only. More might remain. name old time/op new time/op delta CSSEscaper-8 1.17µs ± 1% 0.80µs ± 2% -31.55% (p=0.000 n=44+48) CSSEscaperNoSpecials-8 205ns ± 2% 204ns ± 3% -0.73% (p=0.014 n=46+49) DecodeCSS-8 438ns ± 2% 436ns ± 2% ~ (p=0.099 n=48+47) DecodeCSSNoSpecials-8 6.11ns ± 3% 5.93ns ± 3% -2.85% (p=0.000 n=50+48) CSSValueFilter-8 149ns ± 0% 145ns ± 0% -2.68% (p=0.000 n=32+35) CSSValueFilterOk-8 238ns ± 2% 234ns ± 2% -1.40% (p=0.000 n=49+47) EscapedExecute-8 2.53µs ± 2% 2.55µs ± 1% +0.87% (p=0.000 n=48+49) HTMLNospaceEscaper-8 1.35µs ± 2% 0.92µs ± 1% -31.74% (p=0.000 n=48+48) HTMLNospaceEscaperNoSpecials-8 278ns ± 2% 263ns ± 2% -5.17% (p=0.000 n=47+49) StripTags-8 778ns ± 2% 786ns ± 1% +0.96% (p=0.000 n=46+47) StripTagsNoSpecials-8 84.2ns ± 1% 84.1ns ± 1% ~ (p=0.300 n=48+48) JSValEscaperWithNum-8 506ns ± 2% 486ns ± 3% -3.82% (p=0.000 n=47+45) JSValEscaperWithStr-8 1.61µs ± 1% 1.64µs ± 1% +1.75% (p=0.000 n=44+49) JSValEscaperWithStrNoSpecials-8 548ns ± 2% 552ns ± 2% +0.78% (p=0.000 n=48+46) JSValEscaperWithObj-8 1.91µs ± 2% 1.87µs ± 1% -2.08% (p=0.000 n=49+47) JSValEscaperWithObjNoSpecials-8 735ns ± 2% 742ns ± 2% +1.01% (p=0.000 n=47+49) JSStrEscaperNoSpecials-8 228ns ± 4% 211ns ± 3% -7.53% (p=0.000 n=50+49) JSStrEscaper-8 1.11µs ± 1% 0.78µs ± 1% -29.94% (p=0.000 n=48+48) JSRegexpEscaperNoSpecials-8 214ns ± 2% 212ns ± 3% -1.12% (p=0.000 n=50+49) JSRegexpEscaper-8 1.17µs ± 0% 0.79µs ± 1% -31.92% (p=0.000 n=48+47) TemplateSpecialTags-8 172µs ± 1% 172µs ± 1% ~ (p=0.976 n=48+47) URLEscaper-8 1.88µs ± 2% 1.87µs ± 2% -0.56% (p=0.001 n=49+49) URLEscaperNoSpecials-8 162ns ± 1% 169ns ± 1% +3.76% (p=0.000 n=49+50) URLNormalizer-8 1.29µs ± 3% 1.29µs ± 2% -0.37% (p=0.041 n=48+48) URLNormalizerNoSpecials-8 185ns ± 1% 186ns ± 1% +0.15% (p=0.013 n=49+49) SrcsetFilter-8 616ns ± 1% 618ns ± 1% +0.36% (p=0.000 n=46+46) SrcsetFilterNoSpecials-8 359ns ± 0% 352ns ± 0% -1.93% (p=0.000 n=40+43) [Geo mean] 560ns 525ns -6.17% name old alloc/op new alloc/op delta CSSEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) CSSEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) DecodeCSS-8 160B ± 0% 160B ± 0% ~ (all equal) DecodeCSSNoSpecials-8 0.00B 0.00B ~ (all equal) CSSValueFilter-8 96.0B ± 0% 96.0B ± 0% ~ (all equal) CSSValueFilterOk-8 48.0B ± 0% 48.0B ± 0% ~ (all equal) EscapedExecute-8 688B ± 0% 624B ± 0% -9.30% (p=0.000 n=50+50) HTMLNospaceEscaper-8 752B ± 0% 368B ± 0% -51.06% (p=0.000 n=50+50) HTMLNospaceEscaperNoSpecials-8 48.0B ± 0% 32.0B ± 0% -33.33% (p=0.000 n=50+50) StripTags-8 224B ± 0% 224B ± 0% ~ (all equal) StripTagsNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) JSValEscaperWithNum-8 96.0B ± 0% 40.0B ± 0% -58.33% (p=0.000 n=50+50) JSValEscaperWithStr-8 384B ± 0% 384B ± 0% ~ (all equal) JSValEscaperWithStrNoSpecials-8 96.0B ± 0% 96.0B ± 0% ~ (all equal) JSValEscaperWithObj-8 448B ± 0% 448B ± 0% ~ (all equal) JSValEscaperWithObjNoSpecials-8 160B ± 0% 160B ± 0% ~ (all equal) JSStrEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) JSStrEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) JSRegexpEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) JSRegexpEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) TemplateSpecialTags-8 48.0kB ± 0% 47.9kB ± 0% -0.13% (p=0.000 n=50+48) URLEscaper-8 336B ± 0% 336B ± 0% ~ (all equal) URLEscaperNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) URLNormalizer-8 176B ± 0% 176B ± 0% ~ (all equal) URLNormalizerNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) SrcsetFilter-8 160B ± 0% 160B ± 0% ~ (all equal) SrcsetFilterNoSpecials-8 160B ± 0% 160B ± 0% ~ (all equal) [Geo mean] 259B 216B -16.60% name old allocs/op new allocs/op delta CSSEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) CSSEscaperNoSpecials-8 0.00 0.00 ~ (all equal) DecodeCSS-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) DecodeCSSNoSpecials-8 0.00 0.00 ~ (all equal) CSSValueFilter-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) CSSValueFilterOk-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) EscapedExecute-8 18.0 ± 0% 18.0 ± 0% ~ (all equal) HTMLNospaceEscaper-8 5.00 ± 0% 3.00 ± 0% -40.00% (p=0.000 n=50+50) HTMLNospaceEscaperNoSpecials-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) StripTags-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) StripTagsNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithNum-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSValEscaperWithStr-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithStrNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithObj-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSValEscaperWithObjNoSpecials-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSStrEscaperNoSpecials-8 0.00 0.00 ~ (all equal) JSStrEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) JSRegexpEscaperNoSpecials-8 0.00 0.00 ~ (all equal) JSRegexpEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) TemplateSpecialTags-8 185 ± 0% 185 ± 0% ~ (all equal) URLEscaper-8 4.00 ± 0% 4.00 ± 0% ~ (all equal) URLEscaperNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) URLNormalizer-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) URLNormalizerNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) SrcsetFilter-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) SrcsetFilterNoSpecials-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) [Geo mean] 3.41 3.05 -10.65% Change-Id: I809ea56495ce1881656af7e24621448ab64b449a Reviewed-on: https://go-review.googlesource.com/c/155919 Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-06-01all: update comment URLs from HTTP to HTTPS, where possibleTim Cooper
Each URL was manually verified to ensure it did not serve up incorrect content. Change-Id: I4dc846227af95a73ee9a3074d0c379ff0fa955df Reviewed-on: https://go-review.googlesource.com/115798 Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org>
2016-04-10all: replace magic 0x80 with named constant utf8.RuneSelfMartin Möhrmann
Change-Id: Id1c2e8e9d60588de866e8b6ca59cc83dd28f848f Reviewed-on: https://go-review.googlesource.com/21756 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-04-01all: use bytes.Equal, bytes.Contains and strings.ContainsDominik Honnef
Change-Id: Iba82a5bd3846f7ab038cc10ec72ff6bcd2c0b484 Reviewed-on: https://go-review.googlesource.com/21377 Run-TryBot: Dave Cheney <dave@cheney.net> Reviewed-by: Dave Cheney <dave@cheney.net>
2015-05-19html/template: fix string iteration in replacement operationsDidier Spezia
In css, js, and html, the replacement operations are implemented by iterating on strings (rune by rune). The for/range statement is used. The length of the rune is required and added to the index to properly slice the string. This is potentially wrong because there is a discrepancy between the result of utf8.RuneLen and the increment of the index (set by the for/range statement). For invalid strings, utf8.RuneLen('\ufffd') == 3, while the index is incremented only by 1 byte. htmlReplacer triggers a panic at slicing time for some invalid strings. Use a more robust iteration mechanism based on utf8.DecodeRuneInString, and make sure the same pattern is used for all similar functions in this package. Fixes #10799 Change-Id: Ibad3857b2819435d9fa564f06fc2ca8774102841 Reviewed-on: https://go-review.googlesource.com/10105 Reviewed-by: Rob Pike <r@golang.org>
2014-09-08build: move package sources from src/pkg to srcRuss Cox
Preparation was in CL 134570043. This CL contains only the effect of 'hg mv src/pkg/* src'. For more about the move, see golang.org/s/go14nopkg.
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 14:36:29 +0000