// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // +build go1.13,!windows package template import ( "bytes" "fmt" htmltemplate "html/template" "strings" "testing" ) func TestTypedContent(t *testing.T) { data := []interface{}{ ` "foo%" O'Reilly &bar;`, htmltemplate.CSS(`a[href =~ "//example.com"]#foo`), htmltemplate.HTML(`Hello, World &tc!`), htmltemplate.HTMLAttr(` dir="ltr"`), htmltemplate.JS(`c && alert("Hello, World!");`), htmltemplate.JSStr(`Hello, World & O'Reilly\x21`), htmltemplate.URL(`greeting=H%69,&addressee=(World)`), htmltemplate.Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`), htmltemplate.URL(`,foo/,`), } // For each content sensitive escaper, see how it does on // each of the typed strings above. tests := []struct { // A template containing a single {{.}}. input string want []string }{ { ``, []string{ `ZgotmplZ`, // Allowed but not escaped. `a[href =~ "//example.com"]#foo`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, }, }, { `
`, []string{ `ZgotmplZ`, // Allowed and HTML escaped. `a[href =~ "//example.com"]#foo`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, }, }, { `{{.}}`, []string{ `<b> "foo%" O'Reilly &bar;`, `a[href =~ "//example.com"]#foo`, // Not escaped. `Hello, World &tc!`, ` dir="ltr"`, `c && alert("Hello, World!");`, `Hello, World & O'Reilly\x21`, `greeting=H%69,&addressee=(World)`, `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, `,foo/,`, }, }, { ``, []string{ `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, // Allowed and HTML escaped. ` dir="ltr"`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, `ZgotmplZ`, }, }, { ``, []string{ `<b> "foo%" O'Reilly &bar;`, `a[href =~ "//example.com"]#foo`, // Tags stripped, spaces escaped, entity not re-escaped. `Hello, World &tc!`, ` dir="ltr"`, `c && alert("Hello, World!");`, `Hello, World & O'Reilly\x21`, `greeting=H%69,&addressee=(World)`, `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, `,foo/,`, }, }, { ``, []string{ `<b> "foo%" O'Reilly &bar;`, `a[href =~ "//example.com"]#foo`, // Tags stripped, entity not re-escaped. `Hello, World &tc!`, ` dir="ltr"`, `c && alert("Hello, World!");`, `Hello, World & O'Reilly\x21`, `greeting=H%69,&addressee=(World)`, `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, `,foo/,`, }, }, { ``, []string{ `<b> "foo%" O'Reilly &bar;`, `a[href =~ "//example.com"]#foo`, // Angle brackets escaped to prevent injection of close tags, entity not re-escaped. `Hello, <b>World</b> &tc!`, ` dir="ltr"`, `c && alert("Hello, World!");`, `Hello, World & O'Reilly\x21`, `greeting=H%69,&addressee=(World)`, `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, `,foo/,`, }, }, { ``, []string{ `"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`, `"a[href =~ \"//example.com\"]#foo"`, `"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`, `" dir=\"ltr\""`, // Not escaped. `c && alert("Hello, World!");`, // Escape sequence not over-escaped. `"Hello, World & O'Reilly\x21"`, `"greeting=H%69,\u0026addressee=(World)"`, `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, `",foo/,"`, }, }, { `