// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package template import ( "bytes" "fmt" "strings" "unicode/utf8" ) // htmlNospaceEscaper escapes for inclusion in unquoted attribute values. func htmlNospaceEscaper(args ...any) string { s, t := stringify(args...) if t == contentTypeHTML { return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false) } return htmlReplacer(s, htmlNospaceReplacementTable, false) } // attrEscaper escapes for inclusion in quoted attribute values. func attrEscaper(args ...any) string { s, t := stringify(args...) if t == contentTypeHTML { return htmlReplacer(stripTags(s), htmlNormReplacementTable, true) } return htmlReplacer(s, htmlReplacementTable, true) } // rcdataEscaper escapes for inclusion in an RCDATA element body. func rcdataEscaper(args ...any) string { s, t := stringify(args...) if t == contentTypeHTML { return htmlReplacer(s, htmlNormReplacementTable, true) } return htmlReplacer(s, htmlReplacementTable, true) } // htmlEscaper escapes for inclusion in HTML text. func htmlEscaper(args ...any) string { s, t := stringify(args...) if t == contentTypeHTML { return s } return htmlReplacer(s, htmlReplacementTable, true) } // htmlReplacementTable contains the runes that need to be escaped // inside a quoted attribute value or in a text node. var htmlReplacementTable = []string{ // https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state // U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT // CHARACTER character to the current attribute's value. // " // and similarly // https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state 0: "\uFFFD", '"': """, '&': "&", '\'': "'", '+': "+", '<': "<", '>': ">", } // htmlNormReplacementTable is like htmlReplacementTable but without '&' to // avoid over-encoding existing entities. var htmlNormReplacementTable = []string{ 0: "\uFFFD", '"': """, '\'': "'", '+': "+", '<': "<", '>': ">", } // htmlNospaceReplacementTable contains the runes that need to be escaped // inside an unquoted attribute value. // The set of runes escaped is the union of the HTML specials and // those determined by running the JS below in browsers: //
// var htmlNospaceReplacementTable = []string{ 0: "�", '\t': " ", '\n': " ", '\v': "", '\f': "", '\r': " ", ' ': " ", '"': """, '&': "&", '\'': "'", '+': "+", '<': "<", '=': "=", '>': ">", // A parse error in the attribute value (unquoted) and // before attribute value states. // Treated as a quoting character by IE. '`': "`", } // htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but // without '&' to avoid over-encoding existing entities. var htmlNospaceNormReplacementTable = []string{ 0: "�", '\t': " ", '\n': " ", '\v': "", '\f': "", '\r': " ", ' ': " ", '"': """, '\'': "'", '+': "+", '<': "<", '=': "=", '>': ">", // A parse error in the attribute value (unquoted) and // before attribute value states. // Treated as a quoting character by IE. '`': "`", } // htmlReplacer returns s with runes replaced according to replacementTable // and when badRunes is true, certain bad runes are allowed through unescaped. func htmlReplacer(s string, replacementTable []string, badRunes bool) string { written, b := 0, new(strings.Builder) r, w := rune(0), 0 for i := 0; i < len(s); i += w { // Cannot use 'for range s' because we need to preserve the width // of the runes in the input. If we see a decoding error, the input // width will not be utf8.Runelen(r) and we will overrun the buffer. r, w = utf8.DecodeRuneInString(s[i:]) if int(r) < len(replacementTable) { if repl := replacementTable[r]; len(repl) != 0 { if written == 0 { b.Grow(len(s)) } b.WriteString(s[written:i]) b.WriteString(repl) written = i + w } } else if badRunes { // No-op. // IE does not allow these ranges in unquoted attrs. } else if 0xfdd0 <= r && r <= 0xfdef || 0xfff0 <= r && r <= 0xffff { if written == 0 { b.Grow(len(s)) } fmt.Fprintf(b, "%s%x;", s[written:i], r) written = i + w } } if written == 0 { return s } b.WriteString(s[written:]) return b.String() } // stripTags takes a snippet of HTML and returns only the text content. // For example, `¡Hi! ` -> `¡Hi! `. func stripTags(html string) string { var b bytes.Buffer s, c, i, allText := []byte(html), context{}, 0, true // Using the transition funcs helps us avoid mangling // `