Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: URL escapes query params #17894

Closed
rudydai opened this issue Nov 11, 2016 · 3 comments
Closed

html/template: URL escapes query params #17894

rudydai opened this issue Nov 11, 2016 · 3 comments
Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@rudydai
Copy link

rudydai commented Nov 11, 2016

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

The version available on play.golang.org, which appears to be version 1.7

What operating system and processor architecture are you using (go env)?

Whatever play.golang.org uses

What did you do?

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

https://play.golang.org/p/or2urL8dh0

What did you expect to see?

Expected to see the url pass through the template without being escaped, as documented in https://golang.org/pkg/html/template/ which states "Types HTML, JS, URL, and others from content.go can carry safe content that is exempted from escaping."

What did you see instead?

The template outputs the url as "https://hostname.example.com/test.png?abc=1&def=2", which has the ampersand escaped.
@bradfitz bradfitz changed the title html/template.URL escapes query params html/template: URL escapes query params Nov 11, 2016
@bradfitz bradfitz added NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 11, 2016
@bradfitz
Copy link
Contributor

/cc @rsc

@rsc
Copy link
Contributor

rsc commented Nov 11, 2016
edited

Using template.URL disables URL sanitization. It does not disable HTML escaping when you print the value in an HTML page. That & is just what you have to do to get past the HTML parser. If you want to put raw HTML in the page, use template.HTML.

See https://play.golang.org/p/vaa4kvWDaY:

package main

import (
    "html/template"
    "os"
    "fmt"
    "runtime"
)

func main() {
    fmt.Println(runtime.Version())
    t, _ := template.New("foo").Parse(`
                 U: <a href="{{.U}}">
                             {{.U}}</a>
                JS: <a href="{{.JS}}">
                             {{.JS}}</a>
            SafeJS: <a href="{{.SafeJS}}">
                             {{.SafeJS}}</a>
    `)
    t.Execute(os.Stdout, map[string]interface{}{
        "U": "https://example.com/?x=\"hello\"&y=\"world\"",
        "JS": "javascript:alert(\"hello\")",
        "SafeJS": template.URL("javascript:alert(\"hello\")"),
    })
}

Prints:

go1.7

                 U: <a href="https://example.com/?x=%22hello%22&amp;y=%22world%22">
                             https://example.com/?x=&#34;hello&#34;&amp;y=&#34;world&#34;</a>
                JS: <a href="#ZgotmplZ">
                             javascript:alert(&#34;hello&#34;)</a>
            SafeJS: <a href="javascript:alert%28%22hello%22%29">
                             javascript:alert(&#34;hello&#34;)</a>

Edit: Ha ha github shows & as & so I have to type it as &amp; above.

@rsc rsc closed this as completed Nov 11, 2016
@rudydai
Copy link
Author

rudydai commented Nov 11, 2016

Thanks for your quick replies! Looks like most browsers accept both formats, but this is certainly the more correct way.

@golang golang locked and limited conversation to collaborators Nov 11, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bradfitz @rsc @rudydai @gopherbot