url.go

Documentation: html/template

		 1  // Copyright 2011 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package template
		 6  
		 7  import (
		 8  	"bytes"
		 9  	"fmt"
		10  	"strings"
		11  )
		12  
		13  // urlFilter returns its input unless it contains an unsafe scheme in which
		14  // case it defangs the entire URL.
		15  //
		16  // Schemes that cause unintended side effects that are irreversible without user
		17  // interaction are considered unsafe. For example, clicking on a "javascript:"
		18  // link can immediately trigger JavaScript code execution.
		19  //
		20  // This filter conservatively assumes that all schemes other than the following
		21  // are unsafe:
		22  //		* http:	 Navigates to a new website, and may open a new window or tab.
		23  //							These side effects can be reversed by navigating back to the
		24  //							previous website, or closing the window or tab. No irreversible
		25  //							changes will take place without further user interaction with
		26  //							the new website.
		27  //		* https:	Same as http.
		28  //		* mailto: Opens an email program and starts a new draft. This side effect
		29  //							is not irreversible until the user explicitly clicks send; it
		30  //							can be undone by closing the email program.
		31  //
		32  // To allow URLs containing other schemes to bypass this filter, developers must
		33  // explicitly indicate that such a URL is expected and safe by encapsulating it
		34  // in a template.URL value.
		35  func urlFilter(args ...interface{}) string {
		36  	s, t := stringify(args...)
		37  	if t == contentTypeURL {
		38  		return s
		39  	}
		40  	if !isSafeURL(s) {
		41  		return "#" + filterFailsafe
		42  	}
		43  	return s
		44  }
		45  
		46  // isSafeURL is true if s is a relative URL or if URL has a protocol in
		47  // (http, https, mailto).
		48  func isSafeURL(s string) bool {
		49  	if i := strings.IndexRune(s, ':'); i >= 0 && !strings.ContainsRune(s[:i], '/') {
		50  
		51  		protocol := s[:i]
		52  		if !strings.EqualFold(protocol, "http") && !strings.EqualFold(protocol, "https") && !strings.EqualFold(protocol, "mailto") {
		53  			return false
		54  		}
		55  	}
		56  	return true
		57  }
		58  
		59  // urlEscaper produces an output that can be embedded in a URL query.
		60  // The output can be embedded in an HTML attribute without further escaping.
		61  func urlEscaper(args ...interface{}) string {
		62  	return urlProcessor(false, args...)
		63  }
		64  
		65  // urlNormalizer normalizes URL content so it can be embedded in a quote-delimited
		66  // string or parenthesis delimited url(...).
		67  // The normalizer does not encode all HTML specials. Specifically, it does not
		68  // encode '&' so correct embedding in an HTML attribute requires escaping of
		69  // '&' to '&amp;'.
		70  func urlNormalizer(args ...interface{}) string {
		71  	return urlProcessor(true, args...)
		72  }
		73  
		74  // urlProcessor normalizes (when norm is true) or escapes its input to produce
		75  // a valid hierarchical or opaque URL part.
		76  func urlProcessor(norm bool, args ...interface{}) string {
		77  	s, t := stringify(args...)
		78  	if t == contentTypeURL {
		79  		norm = true
		80  	}
		81  	var b bytes.Buffer
		82  	if processURLOnto(s, norm, &b) {
		83  		return b.String()
		84  	}
		85  	return s
		86  }
		87  
		88  // processURLOnto appends a normalized URL corresponding to its input to b
		89  // and reports whether the appended content differs from s.
		90  func processURLOnto(s string, norm bool, b *bytes.Buffer) bool {
		91  	b.Grow(len(s) + 16)
		92  	written := 0
		93  	// The byte loop below assumes that all URLs use UTF-8 as the
		94  	// content-encoding. This is similar to the URI to IRI encoding scheme
		95  	// defined in section 3.1 of	RFC 3987, and behaves the same as the
		96  	// EcmaScript builtin encodeURIComponent.
		97  	// It should not cause any misencoding of URLs in pages with
		98  	// Content-type: text/html;charset=UTF-8.
		99  	for i, n := 0, len(s); i < n; i++ {
	 100  		c := s[i]
	 101  		switch c {
	 102  		// Single quote and parens are sub-delims in RFC 3986, but we
	 103  		// escape them so the output can be embedded in single
	 104  		// quoted attributes and unquoted CSS url(...) constructs.
	 105  		// Single quotes are reserved in URLs, but are only used in
	 106  		// the obsolete "mark" rule in an appendix in RFC 3986
	 107  		// so can be safely encoded.
	 108  		case '!', '#', '$', '&', '*', '+', ',', '/', ':', ';', '=', '?', '@', '[', ']':
	 109  			if norm {
	 110  				continue
	 111  			}
	 112  		// Unreserved according to RFC 3986 sec 2.3
	 113  		// "For consistency, percent-encoded octets in the ranges of
	 114  		// ALPHA (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D),
	 115  		// period (%2E), underscore (%5F), or tilde (%7E) should not be
	 116  		// created by URI producers
	 117  		case '-', '.', '_', '~':
	 118  			continue
	 119  		case '%':
	 120  			// When normalizing do not re-encode valid escapes.
	 121  			if norm && i+2 < len(s) && isHex(s[i+1]) && isHex(s[i+2]) {
	 122  				continue
	 123  			}
	 124  		default:
	 125  			// Unreserved according to RFC 3986 sec 2.3
	 126  			if 'a' <= c && c <= 'z' {
	 127  				continue
	 128  			}
	 129  			if 'A' <= c && c <= 'Z' {
	 130  				continue
	 131  			}
	 132  			if '0' <= c && c <= '9' {
	 133  				continue
	 134  			}
	 135  		}
	 136  		b.WriteString(s[written:i])
	 137  		fmt.Fprintf(b, "%%%02x", c)
	 138  		written = i + 1
	 139  	}
	 140  	b.WriteString(s[written:])
	 141  	return written != 0
	 142  }
	 143  
	 144  // Filters and normalizes srcset values which are comma separated
	 145  // URLs followed by metadata.
	 146  func srcsetFilterAndEscaper(args ...interface{}) string {
	 147  	s, t := stringify(args...)
	 148  	switch t {
	 149  	case contentTypeSrcset:
	 150  		return s
	 151  	case contentTypeURL:
	 152  		// Normalizing gets rid of all HTML whitespace
	 153  		// which separate the image URL from its metadata.
	 154  		var b bytes.Buffer
	 155  		if processURLOnto(s, true, &b) {
	 156  			s = b.String()
	 157  		}
	 158  		// Additionally, commas separate one source from another.
	 159  		return strings.ReplaceAll(s, ",", "%2c")
	 160  	}
	 161  
	 162  	var b bytes.Buffer
	 163  	written := 0
	 164  	for i := 0; i < len(s); i++ {
	 165  		if s[i] == ',' {
	 166  			filterSrcsetElement(s, written, i, &b)
	 167  			b.WriteString(",")
	 168  			written = i + 1
	 169  		}
	 170  	}
	 171  	filterSrcsetElement(s, written, len(s), &b)
	 172  	return b.String()
	 173  }
	 174  
	 175  // Derived from https://play.golang.org/p/Dhmj7FORT5
	 176  const htmlSpaceAndASCIIAlnumBytes = "\x00\x36\x00\x00\x01\x00\xff\x03\xfe\xff\xff\x07\xfe\xff\xff\x07"
	 177  
	 178  // isHTMLSpace is true iff c is a whitespace character per
	 179  // https://infra.spec.whatwg.org/#ascii-whitespace
	 180  func isHTMLSpace(c byte) bool {
	 181  	return (c <= 0x20) && 0 != (htmlSpaceAndASCIIAlnumBytes[c>>3]&(1<<uint(c&0x7)))
	 182  }
	 183  
	 184  func isHTMLSpaceOrASCIIAlnum(c byte) bool {
	 185  	return (c < 0x80) && 0 != (htmlSpaceAndASCIIAlnumBytes[c>>3]&(1<<uint(c&0x7)))
	 186  }
	 187  
	 188  func filterSrcsetElement(s string, left int, right int, b *bytes.Buffer) {
	 189  	start := left
	 190  	for start < right && isHTMLSpace(s[start]) {
	 191  		start++
	 192  	}
	 193  	end := right
	 194  	for i := start; i < right; i++ {
	 195  		if isHTMLSpace(s[i]) {
	 196  			end = i
	 197  			break
	 198  		}
	 199  	}
	 200  	if url := s[start:end]; isSafeURL(url) {
	 201  		// If image metadata is only spaces or alnums then
	 202  		// we don't need to URL normalize it.
	 203  		metadataOk := true
	 204  		for i := end; i < right; i++ {
	 205  			if !isHTMLSpaceOrASCIIAlnum(s[i]) {
	 206  				metadataOk = false
	 207  				break
	 208  			}
	 209  		}
	 210  		if metadataOk {
	 211  			b.WriteString(s[left:start])
	 212  			processURLOnto(url, true, b)
	 213  			b.WriteString(s[end:right])
	 214  			return
	 215  		}
	 216  	}
	 217  	b.WriteString("#")
	 218  	b.WriteString(filterFailsafe)
	 219  }
	 220
View as plain text