Skip to content

v6.8.1

Latest
Latest

Choose a tag to compare

View all tags
@jedib0t jedib0t released this 11 Jun 02:37
v6.8.1
22c68f6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

A hardening pass across the table, list, progress, and text packages,
fixing security issues, crash/race bugs, and performance problems in the
render hot paths, with benchmarks added to back the optimizations.

Security

  • table/list (HTML): escape the title, caption, and CSS class names in
    RenderHTML() to prevent HTML/attribute injection.
  • table (CSV): make RenderCSV() output RFC 4180 compliant, and add an
    opt-in Style().CSV.FieldProtection option that neutralizes spreadsheet
    formula-injection fields (=, +, -, @, tab, CR).
  • text: sanitize hyperlink URLs and bound the escape-sequence parser
    buffer so adversarial input can't grow it without limit.

Correctness

  • progress: fix a render panic on tiny tracker lengths, data races on
    tracker/indicator state, and a leaked time.Ticker in the terminal-size
    watcher.
  • table: guard auto-index rendering against empty maxColumnLengths.
  • text: prevent a panic in VAlign.Apply on negative maxLines.

Performance

  • table: compile regex filters once per render; pre-size render builders.
  • list: hoist repeated width math out of the render loops.
  • text: speed up Align.Apply and StringWidthWithoutEscSequences.
  • progress: build PacManChomp frames with a strings.Builder.

Tooling

  • Moved root-level benchmarks into their packages and wired up make bench;
    added benchmarks for the table/text/list/progress render hot paths and tests
    covering the retained-done-tracker render paths.

Full Changelog: v6.8.0...v6.8.1

Assets 2
Loading