...
Run Format

Source file src/html/template/attr.go

Documentation: html/template

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package template
     6  
     7  import (
     8  	"strings"
     9  )
    10  
    11  // attrTypeMap[n] describes the value of the given attribute.
    12  // If an attribute affects (or can mask) the encoding or interpretation of
    13  // other content, or affects the contents, idempotency, or credentials of a
    14  // network message, then the value in this map is contentTypeUnsafe.
    15  // This map is derived from HTML5, specifically
    16  // https://www.w3.org/TR/html5/Overview.html#attributes-1
    17  // as well as "%URI"-typed attributes from
    18  // https://www.w3.org/TR/html4/index/attributes.html
    19  var attrTypeMap = map[string]contentType{
    20  	"accept":          contentTypePlain,
    21  	"accept-charset":  contentTypeUnsafe,
    22  	"action":          contentTypeURL,
    23  	"alt":             contentTypePlain,
    24  	"archive":         contentTypeURL,
    25  	"async":           contentTypeUnsafe,
    26  	"autocomplete":    contentTypePlain,
    27  	"autofocus":       contentTypePlain,
    28  	"autoplay":        contentTypePlain,
    29  	"background":      contentTypeURL,
    30  	"border":          contentTypePlain,
    31  	"checked":         contentTypePlain,
    32  	"cite":            contentTypeURL,
    33  	"challenge":       contentTypeUnsafe,
    34  	"charset":         contentTypeUnsafe,
    35  	"class":           contentTypePlain,
    36  	"classid":         contentTypeURL,
    37  	"codebase":        contentTypeURL,
    38  	"cols":            contentTypePlain,
    39  	"colspan":         contentTypePlain,
    40  	"content":         contentTypeUnsafe,
    41  	"contenteditable": contentTypePlain,
    42  	"contextmenu":     contentTypePlain,
    43  	"controls":        contentTypePlain,
    44  	"coords":          contentTypePlain,
    45  	"crossorigin":     contentTypeUnsafe,
    46  	"data":            contentTypeURL,
    47  	"datetime":        contentTypePlain,
    48  	"default":         contentTypePlain,
    49  	"defer":           contentTypeUnsafe,
    50  	"dir":             contentTypePlain,
    51  	"dirname":         contentTypePlain,
    52  	"disabled":        contentTypePlain,
    53  	"draggable":       contentTypePlain,
    54  	"dropzone":        contentTypePlain,
    55  	"enctype":         contentTypeUnsafe,
    56  	"for":             contentTypePlain,
    57  	"form":            contentTypeUnsafe,
    58  	"formaction":      contentTypeURL,
    59  	"formenctype":     contentTypeUnsafe,
    60  	"formmethod":      contentTypeUnsafe,
    61  	"formnovalidate":  contentTypeUnsafe,
    62  	"formtarget":      contentTypePlain,
    63  	"headers":         contentTypePlain,
    64  	"height":          contentTypePlain,
    65  	"hidden":          contentTypePlain,
    66  	"high":            contentTypePlain,
    67  	"href":            contentTypeURL,
    68  	"hreflang":        contentTypePlain,
    69  	"http-equiv":      contentTypeUnsafe,
    70  	"icon":            contentTypeURL,
    71  	"id":              contentTypePlain,
    72  	"ismap":           contentTypePlain,
    73  	"keytype":         contentTypeUnsafe,
    74  	"kind":            contentTypePlain,
    75  	"label":           contentTypePlain,
    76  	"lang":            contentTypePlain,
    77  	"language":        contentTypeUnsafe,
    78  	"list":            contentTypePlain,
    79  	"longdesc":        contentTypeURL,
    80  	"loop":            contentTypePlain,
    81  	"low":             contentTypePlain,
    82  	"manifest":        contentTypeURL,
    83  	"max":             contentTypePlain,
    84  	"maxlength":       contentTypePlain,
    85  	"media":           contentTypePlain,
    86  	"mediagroup":      contentTypePlain,
    87  	"method":          contentTypeUnsafe,
    88  	"min":             contentTypePlain,
    89  	"multiple":        contentTypePlain,
    90  	"name":            contentTypePlain,
    91  	"novalidate":      contentTypeUnsafe,
    92  	// Skip handler names from
    93  	// https://www.w3.org/TR/html5/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
    94  	// since we have special handling in attrType.
    95  	"open":        contentTypePlain,
    96  	"optimum":     contentTypePlain,
    97  	"pattern":     contentTypeUnsafe,
    98  	"placeholder": contentTypePlain,
    99  	"poster":      contentTypeURL,
   100  	"profile":     contentTypeURL,
   101  	"preload":     contentTypePlain,
   102  	"pubdate":     contentTypePlain,
   103  	"radiogroup":  contentTypePlain,
   104  	"readonly":    contentTypePlain,
   105  	"rel":         contentTypeUnsafe,
   106  	"required":    contentTypePlain,
   107  	"reversed":    contentTypePlain,
   108  	"rows":        contentTypePlain,
   109  	"rowspan":     contentTypePlain,
   110  	"sandbox":     contentTypeUnsafe,
   111  	"spellcheck":  contentTypePlain,
   112  	"scope":       contentTypePlain,
   113  	"scoped":      contentTypePlain,
   114  	"seamless":    contentTypePlain,
   115  	"selected":    contentTypePlain,
   116  	"shape":       contentTypePlain,
   117  	"size":        contentTypePlain,
   118  	"sizes":       contentTypePlain,
   119  	"span":        contentTypePlain,
   120  	"src":         contentTypeURL,
   121  	"srcdoc":      contentTypeHTML,
   122  	"srclang":     contentTypePlain,
   123  	"srcset":      contentTypeSrcset,
   124  	"start":       contentTypePlain,
   125  	"step":        contentTypePlain,
   126  	"style":       contentTypeCSS,
   127  	"tabindex":    contentTypePlain,
   128  	"target":      contentTypePlain,
   129  	"title":       contentTypePlain,
   130  	"type":        contentTypeUnsafe,
   131  	"usemap":      contentTypeURL,
   132  	"value":       contentTypeUnsafe,
   133  	"width":       contentTypePlain,
   134  	"wrap":        contentTypePlain,
   135  	"xmlns":       contentTypeURL,
   136  }
   137  
   138  // attrType returns a conservative (upper-bound on authority) guess at the
   139  // type of the lowercase named attribute.
   140  func attrType(name string) contentType {
   141  	if strings.HasPrefix(name, "data-") {
   142  		// Strip data- so that custom attribute heuristics below are
   143  		// widely applied.
   144  		// Treat data-action as URL below.
   145  		name = name[5:]
   146  	} else if colon := strings.IndexRune(name, ':'); colon != -1 {
   147  		if name[:colon] == "xmlns" {
   148  			return contentTypeURL
   149  		}
   150  		// Treat svg:href and xlink:href as href below.
   151  		name = name[colon+1:]
   152  	}
   153  	if t, ok := attrTypeMap[name]; ok {
   154  		return t
   155  	}
   156  	// Treat partial event handler names as script.
   157  	if strings.HasPrefix(name, "on") {
   158  		return contentTypeJS
   159  	}
   160  
   161  	// Heuristics to prevent "javascript:..." injection in custom
   162  	// data attributes and custom attributes like g:tweetUrl.
   163  	// https://www.w3.org/TR/html5/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes
   164  	// "Custom data attributes are intended to store custom data
   165  	//  private to the page or application, for which there are no
   166  	//  more appropriate attributes or elements."
   167  	// Developers seem to store URL content in data URLs that start
   168  	// or end with "URI" or "URL".
   169  	if strings.Contains(name, "src") ||
   170  		strings.Contains(name, "uri") ||
   171  		strings.Contains(name, "url") {
   172  		return contentTypeURL
   173  	}
   174  	return contentTypePlain
   175  }
   176  

View as plain text