Skip to content

Commit 0699458

Browse files
nigeltaonigeltao
committed
html: escape comment and doctype tokens' data
Fixes golang/go#48237 Change-Id: I309e3ad30684fb71b9b3e67dfac156da08dbc69b Reviewed-on: https://go-review.googlesource.com/c/net/+/419334 Run-TryBot: Nigel Tao <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Kunpei Sakai <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
1 parent 46097bf commit 0699458

File tree

4 files changed

+14
-9
lines changed

4 files changed

+14
-9
lines changed

html/render.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ func render1(w writer, n *Node) error {
8585
if _, err := w.WriteString("<!--"); err != nil {
8686
return err
8787
}
88-
if _, err := w.WriteString(n.Data); err != nil {
88+
if err := escape(w, n.Data); err != nil {
8989
return err
9090
}
9191
if _, err := w.WriteString("-->"); err != nil {
@@ -96,7 +96,7 @@ func render1(w writer, n *Node) error {
9696
if _, err := w.WriteString("<!DOCTYPE "); err != nil {
9797
return err
9898
}
99-
if _, err := w.WriteString(n.Data); err != nil {
99+
if err := escape(w, n.Data); err != nil {
100100
return err
101101
}
102102
if n.Attr != nil {

html/render_test.go

+7-2
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,10 @@ func TestRenderer(t *testing.T) {
9494
Data: "comm",
9595
},
9696
15: {
97+
Type: CommentNode,
98+
Data: "x-->y", // Needs escaping.
99+
},
100+
16: {
97101
Type: RawNode,
98102
Data: "7<pre>8</pre>9",
99103
},
@@ -119,7 +123,8 @@ func TestRenderer(t *testing.T) {
119123
12: `. . <br>`,
120124
13: `. . "6"`,
121125
14: `. . "<!--comm-->"`,
122-
15: `. . "7<pre>8</pre>9"`,
126+
15: `. . "<!--x--&gt;y-->"`,
127+
16: `. . "7<pre>8</pre>9"`,
123128
}
124129
if len(nodes) != len(treeAsText) {
125130
t.Fatal("len(nodes) != len(treeAsText)")
@@ -155,7 +160,7 @@ func TestRenderer(t *testing.T) {
155160

156161
want := `<html><head></head><body>0&lt;1<p id="A" foo="abc&#34;def">` +
157162
`2<b empty="">3</b><i backslash="\">&amp;4</i></p>` +
158-
`5<blockquote></blockquote><br/>6<!--comm-->7<pre>8</pre>9</body></html>`
163+
`5<blockquote></blockquote><br/>6<!--comm--><!--x--&gt;y-->7<pre>8</pre>9</body></html>`
159164
b := new(bytes.Buffer)
160165
if err := Render(b, nodes[0]); err != nil {
161166
t.Fatal(err)

html/token.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -110,9 +110,9 @@ func (t Token) String() string {
110110
case SelfClosingTagToken:
111111
return "<" + t.tagString() + "/>"
112112
case CommentToken:
113-
return "<!--" + t.Data + "-->"
113+
return "<!--" + EscapeString(t.Data) + "-->"
114114
case DoctypeToken:
115-
return "<!DOCTYPE " + t.Data + ">"
115+
return "<!DOCTYPE " + EscapeString(t.Data) + ">"
116116
}
117117
return "Invalid(" + strconv.Itoa(int(t.Type)) + ")"
118118
}

html/token_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -314,12 +314,12 @@ var tokenTests = []tokenTest{
314314
{
315315
"comment3",
316316
"a<!--x>-->z",
317-
"a$<!--x>-->$z",
317+
"a$<!--x&gt;-->$z",
318318
},
319319
{
320320
"comment4",
321321
"a<!--x->-->z",
322-
"a$<!--x->-->$z",
322+
"a$<!--x-&gt;-->$z",
323323
},
324324
{
325325
"comment5",
@@ -334,7 +334,7 @@ var tokenTests = []tokenTest{
334334
{
335335
"comment7",
336336
"a<!---<>z",
337-
"a$<!---<>z-->",
337+
"a$<!---&lt;&gt;z-->",
338338
},
339339
{
340340
"comment8",

0 commit comments

Comments
 (0)