Skip to content

Commit

Permalink
html: escape comment and doctype tokens' data
Browse files Browse the repository at this point in the history
Fixes golang/go#48237

Change-Id: I309e3ad30684fb71b9b3e67dfac156da08dbc69b
Reviewed-on: https://go-review.googlesource.com/c/net/+/419334
Run-TryBot: Nigel Tao <nigeltao@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
  • Loading branch information
nigeltao committed Jul 26, 2022
1 parent 46097bf commit 0699458
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 9 deletions.
4 changes: 2 additions & 2 deletions html/render.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ func render1(w writer, n *Node) error {
if _, err := w.WriteString("<!--"); err != nil {
return err
}
if _, err := w.WriteString(n.Data); err != nil {
if err := escape(w, n.Data); err != nil {
return err
}
if _, err := w.WriteString("-->"); err != nil {
Expand All @@ -96,7 +96,7 @@ func render1(w writer, n *Node) error {
if _, err := w.WriteString("<!DOCTYPE "); err != nil {
return err
}
if _, err := w.WriteString(n.Data); err != nil {
if err := escape(w, n.Data); err != nil {
return err
}
if n.Attr != nil {
Expand Down
9 changes: 7 additions & 2 deletions html/render_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ func TestRenderer(t *testing.T) {
Data: "comm",
},
15: {
Type: CommentNode,
Data: "x-->y", // Needs escaping.
},
16: {
Type: RawNode,
Data: "7<pre>8</pre>9",
},
Expand All @@ -119,7 +123,8 @@ func TestRenderer(t *testing.T) {
12: `. . <br>`,
13: `. . "6"`,
14: `. . "<!--comm-->"`,
15: `. . "7<pre>8</pre>9"`,
15: `. . "<!--x--&gt;y-->"`,
16: `. . "7<pre>8</pre>9"`,
}
if len(nodes) != len(treeAsText) {
t.Fatal("len(nodes) != len(treeAsText)")
Expand Down Expand Up @@ -155,7 +160,7 @@ func TestRenderer(t *testing.T) {

want := `<html><head></head><body>0&lt;1<p id="A" foo="abc&#34;def">` +
`2<b empty="">3</b><i backslash="\">&amp;4</i></p>` +
`5<blockquote></blockquote><br/>6<!--comm-->7<pre>8</pre>9</body></html>`
`5<blockquote></blockquote><br/>6<!--comm--><!--x--&gt;y-->7<pre>8</pre>9</body></html>`
b := new(bytes.Buffer)
if err := Render(b, nodes[0]); err != nil {
t.Fatal(err)
Expand Down
4 changes: 2 additions & 2 deletions html/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,9 @@ func (t Token) String() string {
case SelfClosingTagToken:
return "<" + t.tagString() + "/>"
case CommentToken:
return "<!--" + t.Data + "-->"
return "<!--" + EscapeString(t.Data) + "-->"
case DoctypeToken:
return "<!DOCTYPE " + t.Data + ">"
return "<!DOCTYPE " + EscapeString(t.Data) + ">"
}
return "Invalid(" + strconv.Itoa(int(t.Type)) + ")"
}
Expand Down
6 changes: 3 additions & 3 deletions html/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -314,12 +314,12 @@ var tokenTests = []tokenTest{
{
"comment3",
"a<!--x>-->z",
"a$<!--x>-->$z",
"a$<!--x&gt;-->$z",
},
{
"comment4",
"a<!--x->-->z",
"a$<!--x->-->$z",
"a$<!--x-&gt;-->$z",
},
{
"comment5",
Expand All @@ -334,7 +334,7 @@ var tokenTests = []tokenTest{
{
"comment7",
"a<!---<>z",
"a$<!---<>z-->",
"a$<!---&lt;&gt;z-->",
},
{
"comment8",
Expand Down

0 comments on commit 0699458

Please sign in to comment.