feat: Write self-closing tags with a /> Adds tests for self-closing tags both for correct writing and for correct sanitization, i.e. stripping attributes on them.
Martin Probst martin@probst.io
Sat, 03 May 2014 12:58:25 +0200
2 files changed,
21 insertions(+),
5 deletions(-)
M
inline_test.go
→
inline_test.go
@@ -204,16 +204,13 @@ "<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
// Additonal token types: SelfClosing, Comment, DocType. "<br/>", - "<p><br></p>\n", + "<p><br/></p>\n", "<!-- Comment -->", "<!-- Comment -->\n", "<!DOCTYPE test>", "<p><!DOCTYPE test></p>\n", - - "<hr>", - "<hr>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }@@ -225,6 +222,21 @@ "<p>Here are some "quotes".</p>\n",
"<p>Here are some “quotes”.</p>\n", "<p>Here are some \u201Cquotes\u201D.</p>\n", + } + doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) +} + +func TestSanitizeSelfClosingTag(t *testing.T) { + tests := []string{ + "<hr>\n", + "<hr>\n", + + "<hr/>\n", + "<hr/>\n", + + // Make sure that evil attributes are stripped for self closing tags. + "<hr onclick=\"evil()\"/>\n", + "<hr/>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }
M
sanitize.go
→
sanitize.go
@@ -103,7 +103,11 @@ wr.WriteString(html.EscapeString(string(val)))
wr.WriteByte('"') } } - wr.WriteString(">") + if t == html.SelfClosingTagToken { + wr.WriteString("/>") + } else { + wr.WriteString(">") + } } else { wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) }