Source File
escape.go
Belonging Package
github.com/google/safehtml/template
Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.
package template
import (
)
TODO: remove all unused escaping logic inherited from html/template. TODO: replace "escape" with "sanitize" in file names and contents to maintain consistency with safehtml/template docs.
escapeTemplate rewrites the named template, which must be associated with t, to guarantee that the output of any of the named templates is properly escaped. If no error is returned, then the named templates have been modified. Otherwise the named templates have been rendered unusable.
Prevent execution of unsafe templates.
evalArgs formats the list of arguments into a string. It is equivalent to fmt.Sprint(args...), except that it deferences all pointers.
Optimization for simple common case of a single string argument.
if len() == 1 {
if , := [0].(string); {
return
}
}
for , := range {
[] = indirectToStringerOrError()
}
return fmt.Sprint(...)
}
escaper collects type inferences about templates and changes needed to make templates injection safe.
ns is the nameSpace that this escaper is associated with.
output[templateName] is the output context for a templateName that has been mangled to include its input context.
derived[c.mangle(name)] maps to a template derived from the template named name templateName for the start context c.
called[templateName] is a set of called mangled template names.
xxxNodeEdits are the accumulated edits to apply during commit. Such edits are not applied immediately in case a template set executes a given template in different escaping contexts.
actionNodeEdits map[*parse.ActionNode][]string
templateNodeEdits map[*parse.TemplateNode]string
textNodeEdits map[*parse.TextNode][]byte
}
makeEscaper creates a blank escaper for the given set.
escape escapes a template node.
func ( *escaper) ( context, parse.Node) context {
switch n := .(type) {
case *parse.ActionNode:
return .escapeAction(, )
case *parse.IfNode:
return .escapeBranch(, &.BranchNode, "if")
case *parse.ListNode:
return .escapeList(, )
case *parse.RangeNode:
return .escapeBranch(, &.BranchNode, "range")
case *parse.TemplateNode:
return .escapeTemplate(, )
case *parse.TextNode:
return .escapeText(, )
case *parse.WithNode:
return .escapeBranch(, &.BranchNode, "with")
}
panic("escaping " + .String() + " is unimplemented")
}
escapeAction escapes an action template node.
func ( *escaper) ( context, *parse.ActionNode) context {
A local variable assignment, not an interpolation.
return
}
Check for disallowed use of predefined escapers in the pipeline.
for , := range .Pipe.Cmds {
, := .Args[0].(*parse.IdentifierNode)
A predefined escaper "esc" will never be found as an identifier in a Chain or Field node, since: - "esc.x ..." is invalid, since predefined escapers return strings, and strings do not have methods, keys or fields. - "... .esc" is invalid, since predefined escapers are global functions, not methods or fields of any types. Therefore, it is safe to ignore these two node types.
continue
}
:= .Ident
if , := predefinedEscapers[]; {
if < len(.Pipe.Cmds)-1 ||
.state == stateAttr && .delim == delimSpaceOrTagEnd && == "html" {
return context{
state: stateError,
err: errorf(ErrPredefinedEscaper, , .Line, "predefined escaper %q disallowed in template", ),
}
}
}
}
switch .state {
case stateError:
return
case stateAttrName, stateTag:
.state = stateAttrName
TODO: integrate sanitizerForContext into escapeAction.
, := sanitizerForContext()
if != nil {
return context{
TODO: return sanitization-specific errors.
err: errorf(ErrEscapeAction, , .Line, "cannot escape action %v: %s", , ),
}
}
.editActionNode(, )
return
}
ensurePipelineContains ensures that the pipeline ends with the commands with the identifiers in s in order. If the pipeline ends with a predefined escaper (i.e. "html" or "urlquery"), merge it with the identifiers in s.c
Do not rewrite pipeline if we have no escapers to insert.
return
Precondition: p.Cmds contains at most one predefined escaper and the escaper will be present at p.Cmds[len(p.Cmds)-1]. This precondition is always true because of the checks in escapeAction.
Pipeline ends with a predefined escaper.
Special case: pipeline is of the form {{ esc arg1 arg2 ... argN }}, where esc is the predefined escaper, and arg1...argN are its arguments. Convert this into the equivalent form {{ _eval_args_ arg1 arg2 ... argN | esc }}, so that esc can be easily merged with the escapers in s.
.Args[0] = parse.NewIdentifier(evalArgsFuncName).SetTree(nil).SetPos(.Args[0].Position())
.Cmds = append(.Cmds, newIdentCmd(, .Position()))
++
If any of the commands in s that we are about to insert is equivalent to the predefined escaper, use the predefined escaper instead.
The predefined escaper will already be inserted along with the escapers in s, so do not copy it to the rewritten pipeline.
--
}
}
}
Rewrite the pipeline, creating the escapers in s at the end of the pipeline.
:= make([]*parse.CommandNode, , +len())
copy(, .Cmds)
for , := range {
= append(, newIdentCmd(, .Position()))
}
.Cmds =
}
predefinedEscapers contains template predefined escapers that are equivalent to some contextual escapers. Keep in sync with equivEscapers.
var predefinedEscapers = map[string]bool{
"html": true,
"urlquery": true,
}
equivEscapers matches contextual escapers to equivalent predefined template escapers.
The following pairs of HTML escapers provide equivalent security guarantees, since they all escape '\000', '\'', '"', '&', '<', and '>'.
sanitizeHTMLFuncName: "html",
These two URL escapers produce URLs safe for embedding in a URL query by percent-encoding all the reserved characters specified in RFC 3986 Section 2.2
The normalizer function is not actually equivalent to urlquery; urlquery is stricter as it escapes reserved characters (e.g. '#'), while the normalizer function does not. It is therefore only safe to replace the normalizer with with urlquery (this happens in ensurePipelineContains), but not the other way around. We keep this entry around to preserve the behavior of templates written before Go 1.9, which might depend on this substitution taking place.
normalizeURLFuncName: "urlquery",
}
escFnsEq reports whether the two escaping functions are equivalent.
func (, string) bool {
return normalizeEscFn() == normalizeEscFn()
}
normalizeEscFn(a) is equal to normalizeEscFn(b) for any pair of names of escaper functions a and b that are equivalent.
func ( string) string {
if := equivEscapers[]; != "" {
return
}
return
}
newIdentCmd produces a command containing a single identifier node.
func ( string, parse.Pos) *parse.CommandNode {
return &parse.CommandNode{
NodeType: parse.NodeCommand,
Args: []parse.Node{parse.NewIdentifier().SetTree(nil).SetPos()}, // TODO: SetTree.
Pos: ,
}
}
nudge returns the context that would result from following empty string transitions from the input context. For example, parsing: `<a href=` will end in context{stateBeforeValue, AttrURL}, but parsing one extra rune: `<a href=x` will end in context{stateURL, delimSpaceOrTagEnd, ...}. There are two transitions that happen when the 'x' is seen: (1) Transition from a before-value state to a start-of-value state without consuming any character. (2) Consume 'x' and transition past the first value character. In this case, nudging produces the context after (1) happens.
In `<foo {{.}}`, the action should emit an attribute.
In `<foo bar={{.}}`, the action is an undelimited value.
In `<foo bar {{.}}`, the action is an attribute name.
.state = stateAttrName
}
return
}
join joins the two contexts of a branch template node. The result is an error context if either of the input contexts are error contexts, or if the input contexts differ.
func (, context, parse.Node, string) context {
if .state == stateError {
return
}
if .state == stateError {
return
}
Accumulate the result of context-joining elements and attributes in a, since the contents of a are always returned.
The contexts differ only by their element names. The element names from the conditional branches that are accumulated in c.element.names will be checked during action sanitization to ensure that they do not lead to different sanitization contexts.
The contexts differ only by their attribute name. The attribute names from the conditional branches that are accumulated in c.attr.names will be checked during action sanitization to ensure that they do not lead to different sanitization contexts.
return
}
Allow a nudged context to join with an unnudged one. This means that <p title={{if .C}}{{.}}{{end}} ends in an unquoted value state even though the else branch ends in stateBeforeValue.
if , := nudge(), nudge(); !(.eq() && .eq()) {
if := (, , , ); .state != stateError {
return
}
}
return context{
state: stateError,
err: errorf(ErrBranchEnd, , 0, "{{%s}} branches end in different contexts: %v, %v", , , ),
}
}
joinNames returns the slice of all possible names that an element or attr could assume after context joining the element or attr containing aName and aNames with the element or attr containing bName and bNames.
escapeBranch escapes a branch template node: "if", "range" and "with".
func ( *escaper) ( context, *parse.BranchNode, string) context {
:= .escapeList(, .List)
The "true" branch of a "range" node can execute multiple times. We check that executing n.List once results in the same context as executing n.List twice.
, := .escapeListConditionally(, .List, nil)
= join(, , , )
Make clear that this is a problem on loop re-entry since developers tend to overlook that branch when debugging templates.
.err.Line = .Line
.err.Description = "on range loop re-entry: " + .err.Description
return
}
}
:= .escapeList(, .ElseList)
return join(, , , )
}
escapeList escapes a list template node.
escapeListConditionally escapes a list node but only preserves edits and inferences in e if the inferences and output context satisfy filter. It returns the best guess at an output context, and the result of the filter which is the same as whether e was updated.
Make type inferences available to f.
for , := range .output {
.output[] =
}
= .escapeList(, )
:= != nil && (&, )
Copy inferences and edits from e1 back into e.
for , := range .output {
.output[] =
}
for , := range .derived {
.derived[] =
}
for , := range .called {
.called[] =
}
for , := range .actionNodeEdits {
.editActionNode(, )
}
for , := range .templateNodeEdits {
.editTemplateNode(, )
}
for , := range .textNodeEdits {
.editTextNode(, )
}
}
return ,
}
escapeTemplate escapes a {{template}} call node.
func ( *escaper) ( context, *parse.TemplateNode) context {
, := .escapeTree(, , .Name, .Line)
if != .Name {
.editTemplateNode(, )
}
return
}
mangle produces an identifier that includes a suffix that distinguishes it from template names mangled with different contexts.
The mangled name for the default context is the input templateName.
escapeTree escapes the named template starting in the given context as necessary and returns its output context.
Mangle the template name with the input context to produce a reliable identifier.
Already escaped.
return ,
}
:= .template()
Two cases: The template exists but is empty, or has never been mentioned at all. Distinguish the cases in the error messages.
if .ns.set[] != nil {
return context{
state: stateError,
err: errorf(ErrNoSuchTemplate, , , "%q is an incomplete or empty template", ),
},
}
return context{
state: stateError,
err: errorf(ErrNoSuchTemplate, , , "no such template %q", ),
},
}
Use any template derived during an earlier call to escapeTemplate with different top level templates, or clone if necessary.
computeOutCtx takes a template and its start context and computes the output context while storing any inferences in e.
Propagate context over the body.
, := .escapeTemplateBody(, )
Look for a fixed point by assuming c1 as the output context.
if , := .escapeTemplateBody(, ); {
, = , true
Use c1 as the error context if neither assumption worked.
}
if ! && .state != stateError {
return context{
state: stateError,
err: errorf(ErrOutputContext, .Tree.Root, 0, "cannot compute output context for template %s", .Name()),
}
}
return
}
escapeTemplateBody escapes the given template assuming the given output context, and returns the best guess at the output context and whether the assumption was correct.
Do not update the input escaper, e.
return false
}
If t is not recursively called, then c1 is an accurate output context.
return true
c1 is accurate if it matches our assumed output context.
return .eq()
We need to assume an output context so that recursive template calls take the fast path out of escapeTree instead of infinitely recursing. Naively assuming that the input context is the same as the output works >90% of the time.
.output[.Name()] =
return .escapeListConditionally(, .Tree.Root, )
}
delimEnds maps each delim to a string of characters that terminate it.
var delimEnds = [...]string{
delimDoubleQuote: `"`,
Determined empirically by running the below in various browsers. var div = document.createElement("DIV"); for (var i = 0; i < 0x10000; ++i) { div.innerHTML = "<span title=x" + String.fromCharCode(i) + "-bar>"; if (div.getElementsByTagName("SPAN")[0].title.indexOf("bar") < 0) document.write("<p>U+" + i.toString(16)); }
delimSpaceOrTagEnd: " \t\n\f\r>",
}
var doctypeBytes = []byte("<!DOCTYPE")
escapeText escapes a text template node.
This substring search is not perfect, but it is unlikely that this substring will exist in template text for any other reason than to specify a javascript URI.
return context{
state: stateError,
err: errorf(ErrCSPCompatibility, , 0, `"javascript:" URI disallowed for CSP compatibility`),
}
}
for != len() {
if .ns.cspCompatible && strings.HasPrefix(.attr.name, "on") {
return context{
state: stateError,
err: errorf(ErrCSPCompatibility, , 0, "inline event handler %q is disallowed for CSP compatibility", .attr.name),
}
}
, := contextAfterText(, [:])
:= +
, := sanitizationContextForElementContent(.element.name)
if .state == stateText || == nil && == sanitizationContextRCDATA {
:=
if .state != .state {
for := - 1; >= ; -- {
if [] == '<' {
=
break
}
}
}
for := ; < ; ++ {
if [] == '<' && !bytes.HasPrefix(bytes.ToUpper([:]), doctypeBytes) {
.Write([:])
.WriteString("<")
= + 1
}
}
} else if isComment(.state) && .delim == delimNone {
=
}
if .state == stateSpecialElementBody && .element.name == "script" {
if := isJsTemplateBalanced(bytes.NewBuffer()); != nil {
return context{
state: stateError,
err: errorf(ErrUnbalancedJsTemplate, , 0, "Mixing template systems can cause security vulnerabilites. Therefore, there can be no safehtml/template insertion points or actions inside an ES6 template, and all ES6 templates must be closed: %v", .Error()),
}
}
}
Preserve the portion between written and the comment start.
:= - 2
"<!--" instead of "" or "//"
contextAfterText starts in context c, consumes some tokens from the front of s, then returns the context after those tokens and the unprocessed suffix.
A special end tag (`</script>`) has been seen and all content preceding it has been consumed.
return , 0
Consider all content up to any end tag.
return transitionFunc[.state](, [:])
}
We are at the beginning of an attribute value.
http://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state lists the runes below as error characters. Error out because HTML parsers may differ on whether "<a id= onclick=f(" ends inside id's or onclick's value, "<a class=`foo " ends inside a value, "<a style=font:'Arial'" needs open-quote fixup. IE treats '`' as a quotation character.
Remain inside the attribute. Decode the value so non-HTML rules can easily handle <button onclick="alert("Hi!")"> without having to entity decode token boundaries.
for := []byte(html.UnescapeString(string())); len() != 0; {
, := transitionFunc[.state](, )
, = , [:]
}
return , len()
}
On exiting an attribute, we discard all state information except the state, element, scriptType, and linkRel.
:= context{
state: stateTag,
element: .element,
scriptType: .scriptType,
linkRel: .linkRel,
Save the script element's type attribute value if we are parsing it for the first time.
Save the link element's rel attribute value if we are parsing it for the first time.
Consume any quote.
++
}
return ,
}
editActionNode records a change to an action pipeline for later commit.
func ( *escaper) ( *parse.ActionNode, []string) {
if , := .actionNodeEdits[]; {
panic(fmt.Sprintf("node %s shared between templates", ))
}
.actionNodeEdits[] =
}
editTemplateNode records a change to a {{template}} callee for later commit.
func ( *escaper) ( *parse.TemplateNode, string) {
if , := .templateNodeEdits[]; {
panic(fmt.Sprintf("node %s shared between templates", ))
}
.templateNodeEdits[] =
}
editTextNode records a change to a text node for later commit.
func ( *escaper) ( *parse.TextNode, []byte) {
if , := .textNodeEdits[]; {
panic(fmt.Sprintf("node %s shared between templates", ))
}
.textNodeEdits[] =
}
commit applies changes to actions and template calls needed to contextually autoescape content and adds any derived templates to the set.
Any template from the name space associated with this escaper can be used to add derived templates to the underlying text/template name space.
:= .arbitraryTemplate()
for , := range .derived {
if , := .text.AddParseTree(.Name(), .Tree); != nil {
panic("error adding derived template")
}
}
for , := range .actionNodeEdits {
ensurePipelineContains(.Pipe, )
}
for , := range .templateNodeEdits {
.Name =
}
for , := range .textNodeEdits {
.Text =
Reset state that is specific to this commit so that the same changes are not re-applied to the template on subsequent calls to commit.
.called = make(map[string]bool)
.actionNodeEdits = make(map[*parse.ActionNode][]string)
.templateNodeEdits = make(map[*parse.TemplateNode]string)
.textNodeEdits = make(map[*parse.TextNode][]byte)
}
template returns the named template given a mangled template name.
Any template from the name space associated with this escaper can be used to look up templates in the underlying text/template name space.
:= .arbitraryTemplate().text.Lookup()
if == nil {
= .derived[]
}
return
}
arbitraryTemplate returns an arbitrary template from the name space associated with e and panics if no templates are found.
indirectToStringerOrError returns the value, after dereferencing as many times as necessary to reach the base type (or nil) or an implementation of fmt.Stringer or error,
func ( interface{}) interface{} {
if == nil {
return nil
}
:= reflect.ValueOf()
for !.Type().Implements(fmtStringerType) && !.Type().Implements(errorType) && .Kind() == reflect.Ptr && !.IsNil() {
= .Elem()
}
return .Interface()
}
var (
jsTemplateSeparator = []byte("`")
jsTemplateExprStart = []byte("${")
jsTemplateExprEnd = []byte("}")
)
Determine if a string has unbalanced (open) JS templates.
s is a JS template string (without the opening `); this function consumes s up to the matching closing `.
func ( *bytes.Buffer) error {
for {
:= bytes.Index(.Bytes(), jsTemplateSeparator)
:= bytes.Index(.Bytes(), jsTemplateExprStart)
if == -1 {
return fmt.Errorf("Missing closing ` in JS template")
}
if != -1 && < {
:= consumeJsTemplateExpr()
if != nil {
return
}
return ()
The template expression occurs after this template, e.g. "`foo``bar${test}`".
s is a Js Template expression (starting with "${"). This function consumes up to and including the matching closing "}".
 |
The pages are generated with Golds v0.3.2-preview. (GOOS=darwin GOARCH=amd64) Golds is a Go 101 project developed by Tapir Liu. PR and bug reports are welcome and can be submitted to the issue list. Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds. |