Fix Go template script escaping

Fixes #6695
2025-08-31 22:41:53 +02:00 · 2020-05-23 15:32:27 +02:00
parent c34bf48560
commit 6c3c6686f5
27 changed files with 1090 additions and 292 deletions
--- a/tpl/internal/go_templates/htmltemplate/js.go
+++ b/tpl/internal/go_templates/htmltemplate/js.go
@@ -164,7 +164,6 @@ func jsValEscaper(args ...interface{}) string {
 	}
 	// TODO: detect cycles before calling Marshal which loops infinitely on
 	// cyclic data. This may be an unacceptable DoS risk.
-
 	b, err := json.Marshal(a)
 	if err != nil {
 		// Put a space before comment so that if it is flush against
@@ -179,8 +178,8 @@ func jsValEscaper(args ...interface{}) string {
 	// TODO: maybe post-process output to prevent it from containing
 	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
 	// in case custom marshalers produce output containing those.
-
-	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
+	// Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
+	// supports ld+json content-type.
 	if len(b) == 0 {
 		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
 		// not cause the output `x=y/*z`.
@@ -261,6 +260,8 @@ func replace(s string, replacementTable []string) string {
 		r, w = utf8.DecodeRuneInString(s[i:])
 		var repl string
 		switch {
+		case int(r) < len(lowUnicodeReplacementTable):
+			repl = lowUnicodeReplacementTable[r]
 		case int(r) < len(replacementTable) && replacementTable[r] != "":
 			repl = replacementTable[r]
 		case r == '\u2028':
@@ -284,67 +285,80 @@ func replace(s string, replacementTable []string) string {
 	return b.String()
 }

-var jsStrReplacementTable = []string{
-	0:    `\0`,
+var lowUnicodeReplacementTable = []string{
+	0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
+	'\a': `\u0007`,
+	'\b': `\u0008`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	0xe:  `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
+	0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
+	0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
+}
+
+var jsStrReplacementTable = []string{
+	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
-	'&':  `\x26`,
-	'\'': `\x27`,
-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 	'\\': `\\`,
 }

 // jsStrNormReplacementTable is like jsStrReplacementTable but does not
 // overencode existing escapes since this table has no entry for `\`.
 var jsStrNormReplacementTable = []string{
-	0:    `\0`,
+	0:    `\u0000`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
-	'&':  `\x26`,
-	'\'': `\x27`,
-	'+':  `\x2b`,
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 }
-
 var jsRegexpReplacementTable = []string{
-	0:    `\0`,
+	0:    `\u0000`,
 	'\t': `\t`,
 	'\n': `\n`,
-	'\v': `\x0b`, // "\v" == "v" on IE 6.
+	'\v': `\u000b`, // "\v" == "v" on IE 6.
 	'\f': `\f`,
 	'\r': `\r`,
 	// Encode HTML specials as hex so the output can be embedded
 	// in HTML attributes without further encoding.
-	'"':  `\x22`,
+	'"':  `\u0022`,
 	'$':  `\$`,
-	'&':  `\x26`,
-	'\'': `\x27`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
 	'(':  `\(`,
 	')':  `\)`,
 	'*':  `\*`,
-	'+':  `\x2b`,
+	'+':  `\u002b`,
 	'-':  `\-`,
 	'.':  `\.`,
 	'/':  `\/`,
-	'<':  `\x3c`,
-	'>':  `\x3e`,
+	'<':  `\u003c`,
+	'>':  `\u003e`,
 	'?':  `\?`,
 	'[':  `\[`,
 	'\\': `\\`,
@@ -384,11 +398,11 @@ func isJSType(mimeType string) bool {
 	//   https://tools.ietf.org/html/rfc7231#section-3.1.1
 	//   https://tools.ietf.org/html/rfc4329#section-3
 	//   https://www.ietf.org/rfc/rfc4627.txt
-	mimeType = strings.ToLower(mimeType)
 	// discard parameters
 	if i := strings.Index(mimeType, ";"); i >= 0 {
 		mimeType = mimeType[:i]
 	}
+	mimeType = strings.ToLower(mimeType)
 	mimeType = strings.TrimSpace(mimeType)
 	switch mimeType {
 	case