all repos — grayfriday @ f9b7593e6588d77a12c6169932aa061b86bd4f97

blackfriday fork with a few changes

fix: Handle all different token types that the parser can emit (d'oh).
Martin Probst martin@probst.io
Thu, 01 May 2014 20:55:53 +0200
commit

f9b7593e6588d77a12c6169932aa061b86bd4f97

parent

b44be784594d37dce56d17a088791d4b4b8d7354

2 files changed, 18 insertions(+), 1 deletions(-)

jump to
M inline_test.goinline_test.go

@@ -201,6 +201,16 @@

"<iframe src=http://ha.ckers.org/scriptlet.html <", // The hyperlink gets linkified, the <iframe> gets escaped "<p>&lt;iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> &lt;</p>\n", + + // Additonal token types: SelfClosing, Comment, DocType. + "<br/>", + "<p><br></p>\n", + + "<!-- Comment -->", + "<!-- Comment -->\n", + + "<!DOCTYPE test>", + "<p>&lt;!DOCTYPE test&gt;</p>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }
M sanitize.gosanitize.go

@@ -64,7 +64,7 @@ switch t {

case html.TextToken: // Text is written escaped. wr.WriteString(tokenizer.Token().String()) - case html.StartTagToken: + case html.SelfClosingTagToken, html.StartTagToken: // HTML tags are escaped unless whitelisted. tag, hasAttributes := tokenizer.TagName() tagName := string(tag)

@@ -105,7 +105,14 @@ wr.Write(tokenizer.Raw())

} else { wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) } + case html.CommentToken: + // Comments are not really expected, but harmless. + wr.Write(tokenizer.Raw()) + case html.DoctypeToken: + // Escape DOCTYPES, entities etc can be dangerous + wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) default: + tokenizer.Token() panic(fmt.Errorf("Unexpected token type %v", t)) } }