Source File
html.go
Belonging Package
html/template
Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.
package template
import (
)
htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
func ( ...interface{}) string {
, := stringify(...)
if == contentTypeHTML {
return htmlReplacer(stripTags(), htmlNospaceNormReplacementTable, false)
}
return htmlReplacer(, htmlNospaceReplacementTable, false)
}
attrEscaper escapes for inclusion in quoted attribute values.
func ( ...interface{}) string {
, := stringify(...)
if == contentTypeHTML {
return htmlReplacer(stripTags(), htmlNormReplacementTable, true)
}
return htmlReplacer(, htmlReplacementTable, true)
}
rcdataEscaper escapes for inclusion in an RCDATA element body.
func ( ...interface{}) string {
, := stringify(...)
if == contentTypeHTML {
return htmlReplacer(, htmlNormReplacementTable, true)
}
return htmlReplacer(, htmlReplacementTable, true)
}
htmlEscaper escapes for inclusion in HTML text.
func ( ...interface{}) string {
, := stringify(...)
if == contentTypeHTML {
return
}
return htmlReplacer(, htmlReplacementTable, true)
}
htmlReplacementTable contains the runes that need to be escaped inside a quoted attribute value or in a text node.
https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT CHARACTER character to the current attribute's value. " and similarly https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
0: "\uFFFD",
'"': """,
'&': "&",
'\'': "'",
'+': "+",
'<': "<",
'>': ">",
}
htmlNormReplacementTable is like htmlReplacementTable but without '&' to avoid over-encoding existing entities.
var htmlNormReplacementTable = []string{
0: "\uFFFD",
'"': """,
'\'': "'",
'+': "+",
'<': "<",
'>': ">",
}
htmlNospaceReplacementTable contains the runes that need to be escaped inside an unquoted attribute value. The set of runes escaped is the union of the HTML specials and those determined by running the JS below in browsers: <div id=d></div> <script>(function () { var a = [], d = document.getElementById("d"), i, c, s; for (i = 0; i < 0x10000; ++i) { c = String.fromCharCode(i); d.innerHTML = "<span title=" + c + "lt" + c + "></span>" s = d.getElementsByTagName("SPAN")[0]; if (!s || s.title !== c + "lt" + c) { a.push(i.toString(16)); } } document.write(a.join(", ")); })()</script>
var htmlNospaceReplacementTable = []string{
0: "�",
'\t': "	",
'\n': " ",
'\v': "",
'\f': "",
'\r': " ",
' ': " ",
'"': """,
'&': "&",
'\'': "'",
'+': "+",
'<': "<",
'=': "=",
A parse error in the attribute value (unquoted) and before attribute value states. Treated as a quoting character by IE.
'`': "`",
}
htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but without '&' to avoid over-encoding existing entities.
var htmlNospaceNormReplacementTable = []string{
0: "�",
'\t': "	",
'\n': " ",
'\v': "",
'\f': "",
'\r': " ",
' ': " ",
'"': """,
'\'': "'",
'+': "+",
'<': "<",
'=': "=",
A parse error in the attribute value (unquoted) and before attribute value states. Treated as a quoting character by IE.
'`': "`",
}
htmlReplacer returns s with runes replaced according to replacementTable and when badRunes is true, certain bad runes are allowed through unescaped.
Cannot use 'for range s' because we need to preserve the width of the runes in the input. If we see a decoding error, the input width will not be utf8.Runelen(r) and we will overrun the buffer.
, = utf8.DecodeRuneInString([:])
if int() < len() {
if := []; len() != 0 {
if == 0 {
.Grow(len())
}
.WriteString([:])
.WriteString()
= +
}
No-op. IE does not allow these ranges in unquoted attrs.
stripTags takes a snippet of HTML and returns only the text content. For example, `<b>¡Hi!</b> <script>...</script>` -> `¡Hi! `.
Using the transition funcs helps us avoid mangling `<div title="1>2">` or `I <3 Ponies!`.
Use RCDATA instead of parsing into JS or CSS styles.
if .element != elementNone && !isInTag() {
= stateRCDATA
}
, := transitionFunc[](, [:])
:= +
Emit text up to the start of the tag or comment.
Consume any quote.
htmlNameFilter accepts valid parts of an HTML attribute or tag name or a known-safe HTML attribute.
func ( ...interface{}) string {
, := stringify(...)
if == contentTypeHTMLAttr {
return
}
Avoid violation of structure preservation. <input checked {{.K}}={{.V}}>. Without this, if .K is empty then .V is the value of checked, but otherwise .V is the value of the attribute named .K.
return filterFailsafe
}
= strings.ToLower()
TODO: Split attr and element name part filters so we can recognize known attributes.
return filterFailsafe
}
for , := range {
switch {
case '0' <= && <= '9':
case 'a' <= && <= 'z':
default:
return filterFailsafe
}
}
return
}
commentEscaper returns the empty string regardless of input. Comment content does not correspond to any parsed structure or human-readable content, so the simplest and most secure policy is to drop content interpolated into comments. This approach is equally valid whether or not static comment content is removed from the template.
func ( ...interface{}) string {
return ""
 |
The pages are generated with Golds v0.3.2-preview. (GOOS=darwin GOARCH=amd64) Golds is a Go 101 project developed by Tapir Liu. PR and bug reports are welcome and can be submitted to the issue list. Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds. |