mirror of
https://github.com/gohugoio/hugo.git
synced 2024-12-29 12:22:06 +00:00
ee359df172
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See https://github.com/golang/go/issues/59234 Fixes #11112
428 lines
12 KiB
Go
428 lines
12 KiB
Go
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
//go:build go1.13 && !windows
|
|
// +build go1.13,!windows
|
|
|
|
package template
|
|
|
|
import (
|
|
"math"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestNextJsCtx(t *testing.T) {
|
|
tests := []struct {
|
|
jsCtx jsCtx
|
|
s string
|
|
}{
|
|
// Statement terminators precede regexps.
|
|
{jsCtxRegexp, ";"},
|
|
// This is not airtight.
|
|
// ({ valueOf: function () { return 1 } } / 2)
|
|
// is valid JavaScript but in practice, devs do not do this.
|
|
// A block followed by a statement starting with a RegExp is
|
|
// much more common:
|
|
// while (x) {...} /foo/.test(x) || panic()
|
|
{jsCtxRegexp, "}"},
|
|
// But member, call, grouping, and array expression terminators
|
|
// precede div ops.
|
|
{jsCtxDivOp, ")"},
|
|
{jsCtxDivOp, "]"},
|
|
// At the start of a primary expression, array, or expression
|
|
// statement, expect a regexp.
|
|
{jsCtxRegexp, "("},
|
|
{jsCtxRegexp, "["},
|
|
{jsCtxRegexp, "{"},
|
|
// Assignment operators precede regexps as do all exclusively
|
|
// prefix and binary operators.
|
|
{jsCtxRegexp, "="},
|
|
{jsCtxRegexp, "+="},
|
|
{jsCtxRegexp, "*="},
|
|
{jsCtxRegexp, "*"},
|
|
{jsCtxRegexp, "!"},
|
|
// Whether the + or - is infix or prefix, it cannot precede a
|
|
// div op.
|
|
{jsCtxRegexp, "+"},
|
|
{jsCtxRegexp, "-"},
|
|
// An incr/decr op precedes a div operator.
|
|
// This is not airtight. In (g = ++/h/i) a regexp follows a
|
|
// pre-increment operator, but in practice devs do not try to
|
|
// increment or decrement regular expressions.
|
|
// (g++/h/i) where ++ is a postfix operator on g is much more
|
|
// common.
|
|
{jsCtxDivOp, "--"},
|
|
{jsCtxDivOp, "++"},
|
|
{jsCtxDivOp, "x--"},
|
|
// When we have many dashes or pluses, then they are grouped
|
|
// left to right.
|
|
{jsCtxRegexp, "x---"}, // A postfix -- then a -.
|
|
// return followed by a slash returns the regexp literal or the
|
|
// slash starts a regexp literal in an expression statement that
|
|
// is dead code.
|
|
{jsCtxRegexp, "return"},
|
|
{jsCtxRegexp, "return "},
|
|
{jsCtxRegexp, "return\t"},
|
|
{jsCtxRegexp, "return\n"},
|
|
{jsCtxRegexp, "return\u2028"},
|
|
// Identifiers can be divided and cannot validly be preceded by
|
|
// a regular expressions. Semicolon insertion cannot happen
|
|
// between an identifier and a regular expression on a new line
|
|
// because the one token lookahead for semicolon insertion has
|
|
// to conclude that it could be a div binary op and treat it as
|
|
// such.
|
|
{jsCtxDivOp, "x"},
|
|
{jsCtxDivOp, "x "},
|
|
{jsCtxDivOp, "x\t"},
|
|
{jsCtxDivOp, "x\n"},
|
|
{jsCtxDivOp, "x\u2028"},
|
|
{jsCtxDivOp, "preturn"},
|
|
// Numbers precede div ops.
|
|
{jsCtxDivOp, "0"},
|
|
// Dots that are part of a number are div preceders.
|
|
{jsCtxDivOp, "0."},
|
|
// Some JS interpreters treat NBSP as a normal space, so
|
|
// we must too in order to properly escape things.
|
|
{jsCtxRegexp, "=\u00A0"},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
|
|
t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
|
|
}
|
|
if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
|
|
t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
|
|
}
|
|
}
|
|
|
|
if nextJSCtx([]byte(" "), jsCtxRegexp) != jsCtxRegexp {
|
|
t.Error("Blank tokens")
|
|
}
|
|
|
|
if nextJSCtx([]byte(" "), jsCtxDivOp) != jsCtxDivOp {
|
|
t.Error("Blank tokens")
|
|
}
|
|
}
|
|
|
|
func TestJSValEscaper(t *testing.T) {
|
|
tests := []struct {
|
|
x any
|
|
js string
|
|
}{
|
|
{int(42), " 42 "},
|
|
{uint(42), " 42 "},
|
|
{int16(42), " 42 "},
|
|
{uint16(42), " 42 "},
|
|
{int32(-42), " -42 "},
|
|
{uint32(42), " 42 "},
|
|
{int16(-42), " -42 "},
|
|
{uint16(42), " 42 "},
|
|
{int64(-42), " -42 "},
|
|
{uint64(42), " 42 "},
|
|
{uint64(1) << 53, " 9007199254740992 "},
|
|
// ulp(1 << 53) > 1 so this loses precision in JS
|
|
// but it is still a representable integer literal.
|
|
{uint64(1)<<53 + 1, " 9007199254740993 "},
|
|
{float32(1.0), " 1 "},
|
|
{float32(-1.0), " -1 "},
|
|
{float32(0.5), " 0.5 "},
|
|
{float32(-0.5), " -0.5 "},
|
|
{float32(1.0) / float32(256), " 0.00390625 "},
|
|
{float32(0), " 0 "},
|
|
{math.Copysign(0, -1), " -0 "},
|
|
{float64(1.0), " 1 "},
|
|
{float64(-1.0), " -1 "},
|
|
{float64(0.5), " 0.5 "},
|
|
{float64(-0.5), " -0.5 "},
|
|
{float64(0), " 0 "},
|
|
{math.Copysign(0, -1), " -0 "},
|
|
{"", `""`},
|
|
{"foo", `"foo"`},
|
|
// Newlines.
|
|
{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
|
|
// "\v" == "v" on IE 6 so use "\u000b" instead.
|
|
{"\t\x0b", `"\t\u000b"`},
|
|
{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
|
|
{[]any{}, "[]"},
|
|
{[]any{42, "foo", nil}, `[42,"foo",null]`},
|
|
{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
|
|
{"<!--", `"\u003c!--"`},
|
|
{"-->", `"--\u003e"`},
|
|
{"<![CDATA[", `"\u003c![CDATA["`},
|
|
{"]]>", `"]]\u003e"`},
|
|
{"</script", `"\u003c/script"`},
|
|
{"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
|
|
{nil, " null "},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
if js := jsValEscaper(test.x); js != test.js {
|
|
t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
|
|
}
|
|
// Make sure that escaping corner cases are not broken
|
|
// by nesting.
|
|
a := []any{test.x}
|
|
want := "[" + strings.TrimSpace(test.js) + "]"
|
|
if js := jsValEscaper(a); js != want {
|
|
t.Errorf("%+v: want\n\t%q\ngot\n\t%q", a, want, js)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestJSStrEscaper(t *testing.T) {
|
|
tests := []struct {
|
|
x any
|
|
esc string
|
|
}{
|
|
{"", ``},
|
|
{"foo", `foo`},
|
|
{"\u0000", `\u0000`},
|
|
{"\t", `\t`},
|
|
{"\n", `\n`},
|
|
{"\r", `\r`},
|
|
{"\u2028", `\u2028`},
|
|
{"\u2029", `\u2029`},
|
|
{"\\", `\\`},
|
|
{"\\n", `\\n`},
|
|
{"foo\r\nbar", `foo\r\nbar`},
|
|
// Preserve attribute boundaries.
|
|
{`"`, `\u0022`},
|
|
{`'`, `\u0027`},
|
|
// Allow embedding in HTML without further escaping.
|
|
{`&`, `\u0026amp;`},
|
|
// Prevent breaking out of text node and element boundaries.
|
|
{"</script>", `\u003c\/script\u003e`},
|
|
{"<![CDATA[", `\u003c![CDATA[`},
|
|
{"]]>", `]]\u003e`},
|
|
// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
|
|
// "The text in style, script, title, and textarea elements
|
|
// must not have an escaping text span start that is not
|
|
// followed by an escaping text span end."
|
|
// Furthermore, spoofing an escaping text span end could lead
|
|
// to different interpretation of a </script> sequence otherwise
|
|
// masked by the escaping text span, and spoofing a start could
|
|
// allow regular text content to be interpreted as script
|
|
// allowing script execution via a combination of a JS string
|
|
// injection followed by an HTML text injection.
|
|
{"<!--", `\u003c!--`},
|
|
{"-->", `--\u003e`},
|
|
// From https://code.google.com/p/doctype/wiki/ArticleUtf7
|
|
{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
|
|
`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
|
|
},
|
|
// Invalid UTF-8 sequence
|
|
{"foo\xA0bar", "foo\xA0bar"},
|
|
// Invalid unicode scalar value.
|
|
{"foo\xed\xa0\x80bar", "foo\xed\xa0\x80bar"},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
esc := jsStrEscaper(test.x)
|
|
if esc != test.esc {
|
|
t.Errorf("%q: want %q got %q", test.x, test.esc, esc)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestJSRegexpEscaper(t *testing.T) {
|
|
tests := []struct {
|
|
x any
|
|
esc string
|
|
}{
|
|
{"", `(?:)`},
|
|
{"foo", `foo`},
|
|
{"\u0000", `\u0000`},
|
|
{"\t", `\t`},
|
|
{"\n", `\n`},
|
|
{"\r", `\r`},
|
|
{"\u2028", `\u2028`},
|
|
{"\u2029", `\u2029`},
|
|
{"\\", `\\`},
|
|
{"\\n", `\\n`},
|
|
{"foo\r\nbar", `foo\r\nbar`},
|
|
// Preserve attribute boundaries.
|
|
{`"`, `\u0022`},
|
|
{`'`, `\u0027`},
|
|
// Allow embedding in HTML without further escaping.
|
|
{`&`, `\u0026amp;`},
|
|
// Prevent breaking out of text node and element boundaries.
|
|
{"</script>", `\u003c\/script\u003e`},
|
|
{"<![CDATA[", `\u003c!\[CDATA\[`},
|
|
{"]]>", `\]\]\u003e`},
|
|
// Escaping text spans.
|
|
{"<!--", `\u003c!\-\-`},
|
|
{"-->", `\-\-\u003e`},
|
|
{"*", `\*`},
|
|
{"+", `\u002b`},
|
|
{"?", `\?`},
|
|
{"[](){}", `\[\]\(\)\{\}`},
|
|
{"$foo|x.y", `\$foo\|x\.y`},
|
|
{"x^y", `x\^y`},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
esc := jsRegexpEscaper(test.x)
|
|
if esc != test.esc {
|
|
t.Errorf("%q: want %q got %q", test.x, test.esc, esc)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
|
|
input := ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
|
|
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
|
|
` !"#$%&'()*+,-./` +
|
|
`0123456789:;<=>?` +
|
|
`@ABCDEFGHIJKLMNO` +
|
|
`PQRSTUVWXYZ[\]^_` +
|
|
"`abcdefghijklmno" +
|
|
"pqrstuvwxyz{|}~\x7f" +
|
|
"\u00A0\u0100\u2028\u2029\ufeff\U0001D11E")
|
|
|
|
tests := []struct {
|
|
name string
|
|
escaper func(...any) string
|
|
escaped string
|
|
}{
|
|
{
|
|
"jsStrEscaper",
|
|
jsStrEscaper,
|
|
`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
|
|
`\u0008\t\n\u000b\f\r\u000e\u000f` +
|
|
`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
|
|
`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
|
|
` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
|
|
`0123456789:;\u003c=\u003e?` +
|
|
`@ABCDEFGHIJKLMNO` +
|
|
`PQRSTUVWXYZ[\\]^_` +
|
|
"\\u0060abcdefghijklmno" +
|
|
"pqrstuvwxyz{|}~\u007f" +
|
|
"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
|
|
},
|
|
{
|
|
"jsRegexpEscaper",
|
|
jsRegexpEscaper,
|
|
`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
|
|
`\u0008\t\n\u000b\f\r\u000e\u000f` +
|
|
`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
|
|
`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
|
|
` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
|
|
`0123456789:;\u003c=\u003e\?` +
|
|
`@ABCDEFGHIJKLMNO` +
|
|
`PQRSTUVWXYZ\[\\\]\^_` +
|
|
"`abcdefghijklmno" +
|
|
`pqrstuvwxyz\{\|\}~` + "\u007f" +
|
|
"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
|
|
},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
if s := test.escaper(input); s != test.escaped {
|
|
t.Errorf("%s once: want\n\t%q\ngot\n\t%q", test.name, test.escaped, s)
|
|
continue
|
|
}
|
|
|
|
// Escape it rune by rune to make sure that any
|
|
// fast-path checking does not break escaping.
|
|
var buf strings.Builder
|
|
for _, c := range input {
|
|
buf.WriteString(test.escaper(string(c)))
|
|
}
|
|
|
|
if s := buf.String(); s != test.escaped {
|
|
t.Errorf("%s rune-wise: want\n\t%q\ngot\n\t%q", test.name, test.escaped, s)
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestIsJsMimeType(t *testing.T) {
|
|
tests := []struct {
|
|
in string
|
|
out bool
|
|
}{
|
|
{"application/javascript;version=1.8", true},
|
|
{"application/javascript;version=1.8;foo=bar", true},
|
|
{"application/javascript/version=1.8", false},
|
|
{"text/javascript", true},
|
|
{"application/json", true},
|
|
{"application/ld+json", true},
|
|
{"module", true},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
if isJSType(test.in) != test.out {
|
|
t.Errorf("isJSType(%q) = %v, want %v", test.in, !test.out, test.out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSValEscaperWithNum(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsValEscaper(3.141592654)
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSValEscaperWithStr(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsValEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSValEscaperWithStrNoSpecials(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsValEscaper("The quick, brown fox jumps over the lazy dog")
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSValEscaperWithObj(b *testing.B) {
|
|
o := struct {
|
|
S string
|
|
N int
|
|
}{
|
|
"The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>\u2028",
|
|
42,
|
|
}
|
|
for i := 0; i < b.N; i++ {
|
|
jsValEscaper(o)
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSValEscaperWithObjNoSpecials(b *testing.B) {
|
|
o := struct {
|
|
S string
|
|
N int
|
|
}{
|
|
"The quick, brown fox jumps over the lazy dog",
|
|
42,
|
|
}
|
|
for i := 0; i < b.N; i++ {
|
|
jsValEscaper(o)
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSStrEscaperNoSpecials(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsStrEscaper("The quick, brown fox jumps over the lazy dog.")
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSStrEscaper(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsStrEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSRegexpEscaperNoSpecials(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsRegexpEscaper("The quick, brown fox jumps over the lazy dog")
|
|
}
|
|
}
|
|
|
|
func BenchmarkJSRegexpEscaper(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
jsRegexpEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
|
|
}
|
|
}
|