fix: Handle all different token types that the parser can emit (d'oh).
Martin Probst martin@probst.io
Thu, 01 May 2014 20:55:53 +0200
2 files changed,
18 insertions(+),
1 deletions(-)
M
inline_test.go
→
inline_test.go
@@ -201,6 +201,16 @@
"<iframe src=http://ha.ckers.org/scriptlet.html <", // The hyperlink gets linkified, the <iframe> gets escaped "<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n", + + // Additonal token types: SelfClosing, Comment, DocType. + "<br/>", + "<p><br></p>\n", + + "<!-- Comment -->", + "<!-- Comment -->\n", + + "<!DOCTYPE test>", + "<p><!DOCTYPE test></p>\n", } doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) }
M
sanitize.go
→
sanitize.go
@@ -64,7 +64,7 @@ switch t {
case html.TextToken: // Text is written escaped. wr.WriteString(tokenizer.Token().String()) - case html.StartTagToken: + case html.SelfClosingTagToken, html.StartTagToken: // HTML tags are escaped unless whitelisted. tag, hasAttributes := tokenizer.TagName() tagName := string(tag)@@ -105,7 +105,14 @@ wr.Write(tokenizer.Raw())
} else { wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) } + case html.CommentToken: + // Comments are not really expected, but harmless. + wr.Write(tokenizer.Raw()) + case html.DoctypeToken: + // Escape DOCTYPES, entities etc can be dangerous + wr.WriteString(html.EscapeString(string(tokenizer.Raw()))) default: + tokenizer.Token() panic(fmt.Errorf("Unexpected token type %v", t)) } }