html/template: truncated output for URL #6701
Labels
Milestone
Comments
One possibility: Comment elision is kicking in because the template content is being interpreted as JS despite the presence of type="html/template". If the body is interpreted as JS, then you see the tokens '<', 'a', 'href', '=', a quoted string, '>', '<', a regular expression running from /a>\n<a href="https:/, '/', 'www', '.', 'facebook', '.', 'com', '/', 'sharer', '/', 'sharer.php', a quoted string "></a>\n<a href=", 'https', ':', a line comment So I don't think this indicates a bug in the JS handling, but maybe we should not treat the body of a script tag with a non javascript type attribute as having JS content. Status changed to New. |
With HTML 5 the default script type is "text/javascript" http://www.w3.org/TR/html5/scripting-1.html So if a script tag does not have a type attribute, or the type attribute is "text/javascript", then the current behaviour is correct. If the specified MIME type is something else it becomes a challenge to know how to correctly interpret it. Internet Explorer has vbscript, but I doubt anyone wants to go there! Reading the code, seems an additional state is required other than stateJS http://tip.golang.org/src/pkg/html/template/context.go#L105 perhaps stateMIME? |
Quoting the relevant portions of the spec that Donovan pointed to http://www.w3.org/TR/html5/scripting-1.html#the-script-block's-type """ If either: the script element has a type attribute and its value is the empty string, or the script element has no type attribute but it has a language attribute and that attribute's value is the empty string, or the script element has neither a type attribute nor a language attribute, then ...let the script block's type for this script element be "text/javascript". ... If the user agent does not support the scripting language given by the script block's type for this script element, then the user agent must abort these steps at this point. The script is not executed. """ |
How safe would it be to not escape things if html/template doesn't understand the script type? #4 quotes the HTML5 spec, but when it comes to security we need to play to what's actually running in the world, not what the spec says. Returning an error would be a safe fallback option. Labels changed: added security. |
Rather than escape as javascript, can we just discard script element contents with type attribute specified as other than "text/javascript"? Such behaviour would more closely mirror the way browsers treat the element, and prevent confusion where it "sometimes works" for other types. |
|
CL https://golang.org/cl/14336 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Reported at tip with 6g changeset: 18385:db021a4c7b4a This program: ====== package main import ( "html/template" "os" ) func main() { template.Must(template.New("test").Parse(text)).Execute(os.Stdout, nil) } const text = `<!DOCTYPE html> <html> <body> <script id="test" type="html/template"> <a href="https://twitter.com/share";></a> <a href="https://www.facebook.com/sharer/sharer.php";></a> <a href="https://plus.google.com/share";></a> </script> </body> </html> ` ====== Produces this output: ====== <!DOCTYPE html> <html> <body> <script id="test" type="html/template"> <a href="https://twitter.com/share";></a> <a href="https://www.facebook.com/sharer/sharer.php";></a> <a href="https: </script> </body> </html> ====== Notice that the third URL is truncated. Deleting either of the other two from the input restores the final one.The text was updated successfully, but these errors were encountered: