...
Run Format

Source file src/html/template/js.go

Documentation: html/template

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package template
     6  
     7  import (
     8  	"bytes"
     9  	"encoding/json"
    10  	"fmt"
    11  	"reflect"
    12  	"strings"
    13  	"unicode/utf8"
    14  )
    15  
    16  // nextJSCtx returns the context that determines whether a slash after the
    17  // given run of tokens starts a regular expression instead of a division
    18  // operator: / or /=.
    19  //
    20  // This assumes that the token run does not include any string tokens, comment
    21  // tokens, regular expression literal tokens, or division operators.
    22  //
    23  // This fails on some valid but nonsensical JavaScript programs like
    24  // "x = ++/foo/i" which is quite different than "x++/foo/i", but is not known to
    25  // fail on any known useful programs. It is based on the draft
    26  // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
    27  // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
    28  func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
    29  	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
    30  	if len(s) == 0 {
    31  		return preceding
    32  	}
    33  
    34  	// All cases below are in the single-byte UTF-8 group.
    35  	switch c, n := s[len(s)-1], len(s); c {
    36  	case '+', '-':
    37  		// ++ and -- are not regexp preceders, but + and - are whether
    38  		// they are used as infix or prefix operators.
    39  		start := n - 1
    40  		// Count the number of adjacent dashes or pluses.
    41  		for start > 0 && s[start-1] == c {
    42  			start--
    43  		}
    44  		if (n-start)&1 == 1 {
    45  			// Reached for trailing minus signs since "---" is the
    46  			// same as "-- -".
    47  			return jsCtxRegexp
    48  		}
    49  		return jsCtxDivOp
    50  	case '.':
    51  		// Handle "42."
    52  		if n != 1 && '0' <= s[n-2] && s[n-2] <= '9' {
    53  			return jsCtxDivOp
    54  		}
    55  		return jsCtxRegexp
    56  	// Suffixes for all punctuators from section 7.7 of the language spec
    57  	// that only end binary operators not handled above.
    58  	case ',', '<', '>', '=', '*', '%', '&', '|', '^', '?':
    59  		return jsCtxRegexp
    60  	// Suffixes for all punctuators from section 7.7 of the language spec
    61  	// that are prefix operators not handled above.
    62  	case '!', '~':
    63  		return jsCtxRegexp
    64  	// Matches all the punctuators from section 7.7 of the language spec
    65  	// that are open brackets not handled above.
    66  	case '(', '[':
    67  		return jsCtxRegexp
    68  	// Matches all the punctuators from section 7.7 of the language spec
    69  	// that precede expression starts.
    70  	case ':', ';', '{':
    71  		return jsCtxRegexp
    72  	// CAVEAT: the close punctuators ('}', ']', ')') precede div ops and
    73  	// are handled in the default except for '}' which can precede a
    74  	// division op as in
    75  	//    ({ valueOf: function () { return 42 } } / 2
    76  	// which is valid, but, in practice, developers don't divide object
    77  	// literals, so our heuristic works well for code like
    78  	//    function () { ... }  /foo/.test(x) && sideEffect();
    79  	// The ')' punctuator can precede a regular expression as in
    80  	//     if (b) /foo/.test(x) && ...
    81  	// but this is much less likely than
    82  	//     (a + b) / c
    83  	case '}':
    84  		return jsCtxRegexp
    85  	default:
    86  		// Look for an IdentifierName and see if it is a keyword that
    87  		// can precede a regular expression.
    88  		j := n
    89  		for j > 0 && isJSIdentPart(rune(s[j-1])) {
    90  			j--
    91  		}
    92  		if regexpPrecederKeywords[string(s[j:])] {
    93  			return jsCtxRegexp
    94  		}
    95  	}
    96  	// Otherwise is a punctuator not listed above, or
    97  	// a string which precedes a div op, or an identifier
    98  	// which precedes a div op.
    99  	return jsCtxDivOp
   100  }
   101  
   102  // regexpPrecederKeywords is a set of reserved JS keywords that can precede a
   103  // regular expression in JS source.
   104  var regexpPrecederKeywords = map[string]bool{
   105  	"break":      true,
   106  	"case":       true,
   107  	"continue":   true,
   108  	"delete":     true,
   109  	"do":         true,
   110  	"else":       true,
   111  	"finally":    true,
   112  	"in":         true,
   113  	"instanceof": true,
   114  	"return":     true,
   115  	"throw":      true,
   116  	"try":        true,
   117  	"typeof":     true,
   118  	"void":       true,
   119  }
   120  
   121  var jsonMarshalType = reflect.TypeOf((*json.Marshaler)(nil)).Elem()
   122  
   123  // indirectToJSONMarshaler returns the value, after dereferencing as many times
   124  // as necessary to reach the base type (or nil) or an implementation of json.Marshal.
   125  func indirectToJSONMarshaler(a interface{}) interface{} {
   126  	// text/template now supports passing untyped nil as a func call
   127  	// argument, so we must support it. Otherwise we'd panic below, as one
   128  	// cannot call the Type or Interface methods on an invalid
   129  	// reflect.Value. See golang.org/issue/18716.
   130  	if a == nil {
   131  		return nil
   132  	}
   133  
   134  	v := reflect.ValueOf(a)
   135  	for !v.Type().Implements(jsonMarshalType) && v.Kind() == reflect.Ptr && !v.IsNil() {
   136  		v = v.Elem()
   137  	}
   138  	return v.Interface()
   139  }
   140  
   141  // jsValEscaper escapes its inputs to a JS Expression (section 11.14) that has
   142  // neither side-effects nor free variables outside (NaN, Infinity).
   143  func jsValEscaper(args ...interface{}) string {
   144  	var a interface{}
   145  	if len(args) == 1 {
   146  		a = indirectToJSONMarshaler(args[0])
   147  		switch t := a.(type) {
   148  		case JS:
   149  			return string(t)
   150  		case JSStr:
   151  			// TODO: normalize quotes.
   152  			return `"` + string(t) + `"`
   153  		case json.Marshaler:
   154  			// Do not treat as a Stringer.
   155  		case fmt.Stringer:
   156  			a = t.String()
   157  		}
   158  	} else {
   159  		for i, arg := range args {
   160  			args[i] = indirectToJSONMarshaler(arg)
   161  		}
   162  		a = fmt.Sprint(args...)
   163  	}
   164  	// TODO: detect cycles before calling Marshal which loops infinitely on
   165  	// cyclic data. This may be an unacceptable DoS risk.
   166  
   167  	b, err := json.Marshal(a)
   168  	if err != nil {
   169  		// Put a space before comment so that if it is flush against
   170  		// a division operator it is not turned into a line comment:
   171  		//     x/{{y}}
   172  		// turning into
   173  		//     x//* error marshaling y:
   174  		//          second line of error message */null
   175  		return fmt.Sprintf(" /* %s */null ", strings.Replace(err.Error(), "*/", "* /", -1))
   176  	}
   177  
   178  	// TODO: maybe post-process output to prevent it from containing
   179  	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
   180  	// in case custom marshalers produce output containing those.
   181  
   182  	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
   183  	if len(b) == 0 {
   184  		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
   185  		// not cause the output `x=y/*z`.
   186  		return " null "
   187  	}
   188  	first, _ := utf8.DecodeRune(b)
   189  	last, _ := utf8.DecodeLastRune(b)
   190  	var buf bytes.Buffer
   191  	// Prevent IdentifierNames and NumericLiterals from running into
   192  	// keywords: in, instanceof, typeof, void
   193  	pad := isJSIdentPart(first) || isJSIdentPart(last)
   194  	if pad {
   195  		buf.WriteByte(' ')
   196  	}
   197  	written := 0
   198  	// Make sure that json.Marshal escapes codepoints U+2028 & U+2029
   199  	// so it falls within the subset of JSON which is valid JS.
   200  	for i := 0; i < len(b); {
   201  		rune, n := utf8.DecodeRune(b[i:])
   202  		repl := ""
   203  		if rune == 0x2028 {
   204  			repl = `\u2028`
   205  		} else if rune == 0x2029 {
   206  			repl = `\u2029`
   207  		}
   208  		if repl != "" {
   209  			buf.Write(b[written:i])
   210  			buf.WriteString(repl)
   211  			written = i + n
   212  		}
   213  		i += n
   214  	}
   215  	if buf.Len() != 0 {
   216  		buf.Write(b[written:])
   217  		if pad {
   218  			buf.WriteByte(' ')
   219  		}
   220  		b = buf.Bytes()
   221  	}
   222  	return string(b)
   223  }
   224  
   225  // jsStrEscaper produces a string that can be included between quotes in
   226  // JavaScript source, in JavaScript embedded in an HTML5 <script> element,
   227  // or in an HTML5 event handler attribute such as onclick.
   228  func jsStrEscaper(args ...interface{}) string {
   229  	s, t := stringify(args...)
   230  	if t == contentTypeJSStr {
   231  		return replace(s, jsStrNormReplacementTable)
   232  	}
   233  	return replace(s, jsStrReplacementTable)
   234  }
   235  
   236  // jsRegexpEscaper behaves like jsStrEscaper but escapes regular expression
   237  // specials so the result is treated literally when included in a regular
   238  // expression literal. /foo{{.X}}bar/ matches the string "foo" followed by
   239  // the literal text of {{.X}} followed by the string "bar".
   240  func jsRegexpEscaper(args ...interface{}) string {
   241  	s, _ := stringify(args...)
   242  	s = replace(s, jsRegexpReplacementTable)
   243  	if s == "" {
   244  		// /{{.X}}/ should not produce a line comment when .X == "".
   245  		return "(?:)"
   246  	}
   247  	return s
   248  }
   249  
   250  // replace replaces each rune r of s with replacementTable[r], provided that
   251  // r < len(replacementTable). If replacementTable[r] is the empty string then
   252  // no replacement is made.
   253  // It also replaces runes U+2028 and U+2029 with the raw strings `\u2028` and
   254  // `\u2029`.
   255  func replace(s string, replacementTable []string) string {
   256  	var b bytes.Buffer
   257  	r, w, written := rune(0), 0, 0
   258  	for i := 0; i < len(s); i += w {
   259  		// See comment in htmlEscaper.
   260  		r, w = utf8.DecodeRuneInString(s[i:])
   261  		var repl string
   262  		switch {
   263  		case int(r) < len(replacementTable) && replacementTable[r] != "":
   264  			repl = replacementTable[r]
   265  		case r == '\u2028':
   266  			repl = `\u2028`
   267  		case r == '\u2029':
   268  			repl = `\u2029`
   269  		default:
   270  			continue
   271  		}
   272  		b.WriteString(s[written:i])
   273  		b.WriteString(repl)
   274  		written = i + w
   275  	}
   276  	if written == 0 {
   277  		return s
   278  	}
   279  	b.WriteString(s[written:])
   280  	return b.String()
   281  }
   282  
   283  var jsStrReplacementTable = []string{
   284  	0:    `\0`,
   285  	'\t': `\t`,
   286  	'\n': `\n`,
   287  	'\v': `\x0b`, // "\v" == "v" on IE 6.
   288  	'\f': `\f`,
   289  	'\r': `\r`,
   290  	// Encode HTML specials as hex so the output can be embedded
   291  	// in HTML attributes without further encoding.
   292  	'"':  `\x22`,
   293  	'&':  `\x26`,
   294  	'\'': `\x27`,
   295  	'+':  `\x2b`,
   296  	'/':  `\/`,
   297  	'<':  `\x3c`,
   298  	'>':  `\x3e`,
   299  	'\\': `\\`,
   300  }
   301  
   302  // jsStrNormReplacementTable is like jsStrReplacementTable but does not
   303  // overencode existing escapes since this table has no entry for `\`.
   304  var jsStrNormReplacementTable = []string{
   305  	0:    `\0`,
   306  	'\t': `\t`,
   307  	'\n': `\n`,
   308  	'\v': `\x0b`, // "\v" == "v" on IE 6.
   309  	'\f': `\f`,
   310  	'\r': `\r`,
   311  	// Encode HTML specials as hex so the output can be embedded
   312  	// in HTML attributes without further encoding.
   313  	'"':  `\x22`,
   314  	'&':  `\x26`,
   315  	'\'': `\x27`,
   316  	'+':  `\x2b`,
   317  	'/':  `\/`,
   318  	'<':  `\x3c`,
   319  	'>':  `\x3e`,
   320  }
   321  
   322  var jsRegexpReplacementTable = []string{
   323  	0:    `\0`,
   324  	'\t': `\t`,
   325  	'\n': `\n`,
   326  	'\v': `\x0b`, // "\v" == "v" on IE 6.
   327  	'\f': `\f`,
   328  	'\r': `\r`,
   329  	// Encode HTML specials as hex so the output can be embedded
   330  	// in HTML attributes without further encoding.
   331  	'"':  `\x22`,
   332  	'$':  `\$`,
   333  	'&':  `\x26`,
   334  	'\'': `\x27`,
   335  	'(':  `\(`,
   336  	')':  `\)`,
   337  	'*':  `\*`,
   338  	'+':  `\x2b`,
   339  	'-':  `\-`,
   340  	'.':  `\.`,
   341  	'/':  `\/`,
   342  	'<':  `\x3c`,
   343  	'>':  `\x3e`,
   344  	'?':  `\?`,
   345  	'[':  `\[`,
   346  	'\\': `\\`,
   347  	']':  `\]`,
   348  	'^':  `\^`,
   349  	'{':  `\{`,
   350  	'|':  `\|`,
   351  	'}':  `\}`,
   352  }
   353  
   354  // isJSIdentPart reports whether the given rune is a JS identifier part.
   355  // It does not handle all the non-Latin letters, joiners, and combining marks,
   356  // but it does handle every codepoint that can occur in a numeric literal or
   357  // a keyword.
   358  func isJSIdentPart(r rune) bool {
   359  	switch {
   360  	case r == '$':
   361  		return true
   362  	case '0' <= r && r <= '9':
   363  		return true
   364  	case 'A' <= r && r <= 'Z':
   365  		return true
   366  	case r == '_':
   367  		return true
   368  	case 'a' <= r && r <= 'z':
   369  		return true
   370  	}
   371  	return false
   372  }
   373  
   374  // isJSType returns true if the given MIME type should be considered JavaScript.
   375  //
   376  // It is used to determine whether a script tag with a type attribute is a javascript container.
   377  func isJSType(mimeType string) bool {
   378  	// per
   379  	//   https://www.w3.org/TR/html5/scripting-1.html#attr-script-type
   380  	//   https://tools.ietf.org/html/rfc7231#section-3.1.1
   381  	//   https://tools.ietf.org/html/rfc4329#section-3
   382  	//   https://www.ietf.org/rfc/rfc4627.txt
   383  	mimeType = strings.ToLower(mimeType)
   384  	// discard parameters
   385  	if i := strings.Index(mimeType, ";"); i >= 0 {
   386  		mimeType = mimeType[:i]
   387  	}
   388  	mimeType = strings.TrimSpace(mimeType)
   389  	switch mimeType {
   390  	case
   391  		"application/ecmascript",
   392  		"application/javascript",
   393  		"application/json",
   394  		"application/x-ecmascript",
   395  		"application/x-javascript",
   396  		"text/ecmascript",
   397  		"text/javascript",
   398  		"text/javascript1.0",
   399  		"text/javascript1.1",
   400  		"text/javascript1.2",
   401  		"text/javascript1.3",
   402  		"text/javascript1.4",
   403  		"text/javascript1.5",
   404  		"text/jscript",
   405  		"text/livescript",
   406  		"text/x-ecmascript",
   407  		"text/x-javascript":
   408  		return true
   409  	default:
   410  		return false
   411  	}
   412  }
   413  

View as plain text