Fix Go template script escaping

Fixes #6695
2025-08-31 22:41:53 +02:00 · 2020-05-23 15:32:27 +02:00
parent c34bf48560
commit 6c3c6686f5
27 changed files with 1090 additions and 292 deletions
--- a/tpl/internal/go_templates/htmltemplate/js_test.go
+++ b/tpl/internal/go_templates/htmltemplate/js_test.go
@@ -139,7 +139,7 @@ func TestJSValEscaper(t *testing.T) {
 		{"foo", `"foo"`},
 		// Newlines.
 		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
-		// "\v" == "v" on IE 6 so use "\x0b" instead.
+		// "\v" == "v" on IE 6 so use "\u000b" instead.
 		{"\t\x0b", `"\t\u000b"`},
 		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
 		{[]interface{}{}, "[]"},
@@ -175,7 +175,7 @@ func TestJSStrEscaper(t *testing.T) {
 	}{
 		{"", ``},
 		{"foo", `foo`},
-		{"\u0000", `\0`},
+		{"\u0000", `\u0000`},
 		{"\t", `\t`},
 		{"\n", `\n`},
 		{"\r", `\r`},
@@ -185,14 +185,14 @@ func TestJSStrEscaper(t *testing.T) {
 		{"\\n", `\\n`},
 		{"foo\r\nbar", `foo\r\nbar`},
 		// Preserve attribute boundaries.
-		{`"`, `\x22`},
-		{`'`, `\x27`},
+		{`"`, `\u0022`},
+		{`'`, `\u0027`},
 		// Allow embedding in HTML without further escaping.
-		{`&amp;`, `\x26amp;`},
+		{`&amp;`, `\u0026amp;`},
 		// Prevent breaking out of text node and element boundaries.
-		{"</script>", `\x3c\/script\x3e`},
-		{"<![CDATA[", `\x3c![CDATA[`},
-		{"]]>", `]]\x3e`},
+		{"</script>", `\u003c\/script\u003e`},
+		{"<![CDATA[", `\u003c![CDATA[`},
+		{"]]>", `]]\u003e`},
 		// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
 		//   "The text in style, script, title, and textarea elements
 		//   must not have an escaping text span start that is not
@@ -203,11 +203,11 @@ func TestJSStrEscaper(t *testing.T) {
 		// allow regular text content to be interpreted as script
 		// allowing script execution via a combination of a JS string
 		// injection followed by an HTML text injection.
-		{"<!--", `\x3c!--`},
-		{"-->", `--\x3e`},
+		{"<!--", `\u003c!--`},
+		{"-->", `--\u003e`},
 		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
 		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
-			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
+			`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
 		},
 		// Invalid UTF-8 sequence
 		{"foo\xA0bar", "foo\xA0bar"},
@@ -230,7 +230,7 @@ func TestJSRegexpEscaper(t *testing.T) {
 	}{
 		{"", `(?:)`},
 		{"foo", `foo`},
-		{"\u0000", `\0`},
+		{"\u0000", `\u0000`},
 		{"\t", `\t`},
 		{"\n", `\n`},
 		{"\r", `\r`},
@@ -240,19 +240,19 @@ func TestJSRegexpEscaper(t *testing.T) {
 		{"\\n", `\\n`},
 		{"foo\r\nbar", `foo\r\nbar`},
 		// Preserve attribute boundaries.
-		{`"`, `\x22`},
-		{`'`, `\x27`},
+		{`"`, `\u0022`},
+		{`'`, `\u0027`},
 		// Allow embedding in HTML without further escaping.
-		{`&amp;`, `\x26amp;`},
+		{`&amp;`, `\u0026amp;`},
 		// Prevent breaking out of text node and element boundaries.
-		{"</script>", `\x3c\/script\x3e`},
-		{"<![CDATA[", `\x3c!\[CDATA\[`},
-		{"]]>", `\]\]\x3e`},
+		{"</script>", `\u003c\/script\u003e`},
+		{"<![CDATA[", `\u003c!\[CDATA\[`},
+		{"]]>", `\]\]\u003e`},
 		// Escaping text spans.
-		{"<!--", `\x3c!\-\-`},
-		{"-->", `\-\-\x3e`},
+		{"<!--", `\u003c!\-\-`},
+		{"-->", `\-\-\u003e`},
 		{"*", `\*`},
-		{"+", `\x2b`},
+		{"+", `\u002b`},
 		{"?", `\?`},
 		{"[](){}", `\[\]\(\)\{\}`},
 		{"$foo|x.y", `\$foo\|x\.y`},
@@ -286,27 +286,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
 		{
 			"jsStrEscaper",
 			jsStrEscaper,
-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
-				` !\x22#$%\x26\x27()*\x2b,-.\/` +
-				`0123456789:;\x3c=\x3e?` +
+			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
+				`\u0008\t\n\u000b\f\r\u000e\u000f` +
+				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
+				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
+				` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
+				`0123456789:;\u003c=\u003e?` +
 				`@ABCDEFGHIJKLMNO` +
 				`PQRSTUVWXYZ[\\]^_` +
 				"`abcdefghijklmno" +
-				"pqrstuvwxyz{|}~\x7f" +
+				"pqrstuvwxyz{|}~\u007f" +
 				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
 		},
 		{
 			"jsRegexpEscaper",
 			jsRegexpEscaper,
-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
-				` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
-				`0123456789:;\x3c=\x3e\?` +
+			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
+				`\u0008\t\n\u000b\f\r\u000e\u000f` +
+				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
+				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
+				` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
+				`0123456789:;\u003c=\u003e\?` +
 				`@ABCDEFGHIJKLMNO` +
 				`PQRSTUVWXYZ\[\\\]\^_` +
 				"`abcdefghijklmno" +