├── .gitignore
├── README.md
└── v0
    ├── block_test.go
    ├── content_test.go
    ├── doc.go
    ├── escape
        ├── attr.go
        ├── content.go
        ├── context.go
        ├── css.go
        ├── css_test.go
        ├── error.go
        ├── escape.go
        ├── escape_test.go
        ├── funcs.go
        ├── html.go
        ├── html_test.go
        ├── js.go
        ├── js_test.go
        ├── pipeline.go
        ├── pipeline_test.go
        ├── transition.go
        ├── url.go
        └── url_test.go
    ├── escape_test.go
    ├── example_test.go
    ├── examplefiles_test.go
    ├── examplefunc_test.go
    ├── exec.go
    ├── exec_test.go
    ├── funcs.go
    ├── inline.go
    ├── multi_test.go
    ├── parse
        ├── lex.go
        ├── lex_test.go
        ├── node.go
        ├── parse.go
        └── parse_test.go
    ├── template.go
    └── testdata
        ├── file1.tmpl
        ├── file2.tmpl
        ├── tmpl1.tmpl
        └── tmpl2.tmpl


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled Object files, Static and Dynamic libs (Shared Objects)
 2 | *.o
 3 | *.a
 4 | *.so
 5 | 
 6 | # Folders
 7 | _obj
 8 | _test
 9 | 
10 | # Architecture specific extensions/prefixes
11 | *.[568vq]
12 | [568vq].out
13 | 
14 | *.cgo1.go
15 | *.cgo2.c
16 | _cgo_defun.c
17 | _cgo_gotypes.go
18 | _cgo_export.*
19 | 
20 | _testmain.go
21 | 
22 | *.exe
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | gorilla/template
 2 | ================
 3 | 
 4 | *Warning:* This is a work in progress, and the v0 API is subject of
 5 | changes.
 6 | 
 7 | Go templates are a great foundation but suffer from some design
 8 | flaws, and this is a pity. They could be really awesome.
 9 | gorilla/template is yet another attempt to fix them.
10 | 
11 | Goals
12 | -----
13 | - Better composition options.
14 | - Improved HTML support.
15 | - Client-side support.
16 | - Auto-documentation.
17 | - Simpler spec and API.
18 | 
19 | These goals will be achieved through several phases.
20 | 
21 | ### Phase 1 - Dec.2012
22 | The initial work makes templates self-contained, removing root
23 | templates. This greatly simplifies internals, spec and API without
24 | losing any functionality. Highlights:
25 | 
26 | - Removed New("name") API: templates are self-contained and must
27 |   be named using {{define}}.
28 | - Templates are always executed passing the template name, so there's
29 |   no need for two Execute methods.
30 | - The Set type replaces the Template type: a Set is a group
31 |   of parsed templates.
32 | - Parse tree: added DefineNode and Tree types.
33 | - Node.String() methods result in templates that reproduce the
34 |   original template exactly.
35 | 
36 | ### Phase 2 - Dec.2012
37 | In this step the contextual escaping mechanism from html/template
38 | becomes part of the gorilla/template package, effectively making it
39 | a combination of text/template and html/template. Highlights:
40 | 
41 | - Same functionality of text/template and html/template but:
42 |   - 1119 less lines of code.
43 |   - 33 less types, functions and methods.
44 | - HTML contextual escaping is set explicitly calling Escape().
45 | - Types to encapsulate safe strings are placed in the template/escape
46 |   package: CSS, JS, JSStr, HTML, HTMLAttr.
47 | 
48 | ### Phase 3 - Jan.2013
49 | We finally add template inheritance and introduce two new actions:
50 | {{slot}} and {{fill}}. Highlights:
51 | 
52 | - A {{slot}} defines placeholders in a base template, and a {{fill}}
53 |   fills a placeholder in a parent template.
54 | - An inherited template is defined passing the parent template name
55 |   in the {{define}} action, as in {{define "child" "parent"}}.
56 | - New templates can't be added to a Set after execution: the set
57 |   is "compiled" and locked, as in html/template.
58 | - Inheritance and the new actions are inlined, so contextual escaping
59 |   and execution didn't require any changes.
60 | 


--------------------------------------------------------------------------------
/v0/block_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"strings"
 10 | 	"testing"
 11 | )
 12 | 
 13 | func TestSlot(t *testing.T) {
 14 | 	// Some deep inheritance.
 15 | 	tpl1 := `
 16 | 	{{define "tpl1"}}
 17 | 		A
 18 | 		{{slot "header"}}
 19 | 			-h1-
 20 | 		{{end}}
 21 | 		B
 22 | 		{{slot "footer"}}
 23 | 			-f1-
 24 | 		{{end}}
 25 | 		C
 26 | 	{{end}}
 27 | 
 28 | 	{{define "tpl2" "tpl1"}}
 29 | 		xxx
 30 | 	{{end}}
 31 | 
 32 | 	{{define "tpl3" "tpl2"}}
 33 | 		xxx
 34 | 		{{fill "header"}}
 35 | 			-h3-
 36 | 		{{end}}
 37 | 		xxx
 38 | 	{{end}}
 39 | 
 40 | 	{{define "tpl4" "tpl3"}}
 41 | 		xxx
 42 | 		{{fill "header"}}
 43 | 			-h4-
 44 | 		{{end}}
 45 | 		xxx
 46 | 		{{fill "footer"}}
 47 | 			-f4-
 48 | 		{{end}}
 49 | 		xxx
 50 | 	{{end}}
 51 | 
 52 | 	{{define "tpl5" "tpl4"}}
 53 | 		xxx
 54 | 		{{fill "footer"}}
 55 | 			-f5-
 56 | 		{{end}}
 57 | 		xxx
 58 | 	{{end}}`
 59 | 	// Recursive inheritance.
 60 | 	tpl2 := `
 61 | 	{{define "tpl1" "tpl2"}}
 62 | 		{{fill "header"}}
 63 | 			-h1-
 64 | 		{{end}}
 65 | 	{{end}}
 66 | 
 67 | 	{{define "tpl2" "tpl3"}}
 68 | 		{{fill "header"}}
 69 | 			-h2-
 70 | 		{{end}}
 71 | 	{{end}}
 72 | 
 73 | 	{{define "tpl3" "tpl1"}}
 74 | 		{{fill "header"}}
 75 | 			-h3-
 76 | 		{{end}}
 77 | 	{{end}}`
 78 | 
 79 | 	tests := []execTest{
 80 | 		// the base template itself
 81 | 		{"tpl1", tpl1, "A-h1-B-f1-C", nil, true},
 82 | 		// default slot value
 83 | 		{"tpl2", tpl1, "A-h1-B-f1-C", nil, true},
 84 | 		// override only one slot
 85 | 		{"tpl3", tpl1, "A-h3-B-f1-C", nil, true},
 86 | 		// override both slots
 87 | 		{"tpl4", tpl1, "A-h4-B-f4-C", nil, true},
 88 | 		// override only one slot, higher level override both
 89 | 		{"tpl5", tpl1, "A-h4-B-f5-C", nil, true},
 90 | 		// impossible recursion
 91 | 		{"tpl1", tpl2, "impossible recursion", nil, false},
 92 | 	}
 93 | 	for _, test := range tests {
 94 | 		set, err := new(Set).Parse(test.input)
 95 | 		if err != nil {
 96 | 			t.Errorf("%s: unexpected parse error: %s", test.name, err)
 97 | 			continue
 98 | 		}
 99 | 		b := new(bytes.Buffer)
100 | 		err = set.Execute(b, test.name, test.data)
101 | 		if test.ok {
102 | 			if err != nil {
103 | 				t.Errorf("%s: unexpected exec error: %s", test.name, err)
104 | 				continue
105 | 			}
106 | 			output := b.String()
107 | 			output = strings.Replace(output, " ", "", -1)
108 | 			output = strings.Replace(output, "\n", "", -1)
109 | 			output = strings.Replace(output, "\t", "", -1)
110 | 			if test.output != output {
111 | 				t.Errorf("%s: expected %q, got %q", test.name, test.output, output)
112 | 			}
113 | 		} else {
114 | 			if err == nil {
115 | 				t.Errorf("%s: expected exec error", test.name)
116 | 				continue
117 | 			}
118 | 			if !strings.Contains(err.Error(), test.output) {
119 | 				t.Errorf("%s: expected exec error %q, got %q", test.name, test.output, err.Error())
120 | 			}
121 | 		}
122 | 	}
123 | }
124 | 


--------------------------------------------------------------------------------
/v0/content_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"fmt"
 10 | 	"strings"
 11 | 	"testing"
 12 | 
 13 | 	"github.com/gorilla/template/v0/escape"
 14 | )
 15 | 
 16 | func TestTypedContent(t *testing.T) {
 17 | 	data := []interface{}{
 18 | 		`<b> "foo%" O'Reilly &bar;`,
 19 | 		escape.CSS(`a[href =~ "//example.com"]#foo`),
 20 | 		escape.HTML(`Hello, <b>World</b> &amp;tc!`),
 21 | 		escape.HTMLAttr(` dir="ltr"`),
 22 | 		escape.JS(`c && alert("Hello, World!");`),
 23 | 		escape.JSStr(`Hello, World & O'Reilly\x21`),
 24 | 		escape.URL(`greeting=H%69&addressee=(World)`),
 25 | 	}
 26 | 
 27 | 	// For each content sensitive escaper, see how it does on
 28 | 	// each of the typed strings above.
 29 | 	tests := []struct {
 30 | 		// A template containing a single {{.}}.
 31 | 		input string
 32 | 		want  []string
 33 | 	}{
 34 | 		{
 35 | 			`<style>{{.}} { color: blue }</style>`,
 36 | 			[]string{
 37 | 				`ZgotmplZ`,
 38 | 				// Allowed but not escaped.
 39 | 				`a[href =~ "//example.com"]#foo`,
 40 | 				`ZgotmplZ`,
 41 | 				`ZgotmplZ`,
 42 | 				`ZgotmplZ`,
 43 | 				`ZgotmplZ`,
 44 | 				`ZgotmplZ`,
 45 | 			},
 46 | 		},
 47 | 		{
 48 | 			`<div style="{{.}}">`,
 49 | 			[]string{
 50 | 				`ZgotmplZ`,
 51 | 				// Allowed and HTML escaped.
 52 | 				`a[href =~ &#34;//example.com&#34;]#foo`,
 53 | 				`ZgotmplZ`,
 54 | 				`ZgotmplZ`,
 55 | 				`ZgotmplZ`,
 56 | 				`ZgotmplZ`,
 57 | 				`ZgotmplZ`,
 58 | 			},
 59 | 		},
 60 | 		{
 61 | 			`{{.}}`,
 62 | 			[]string{
 63 | 				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
 64 | 				`a[href =~ &#34;//example.com&#34;]#foo`,
 65 | 				// Not escaped.
 66 | 				`Hello, <b>World</b> &amp;tc!`,
 67 | 				` dir=&#34;ltr&#34;`,
 68 | 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
 69 | 				`Hello, World &amp; O&#39;Reilly\x21`,
 70 | 				`greeting=H%69&amp;addressee=(World)`,
 71 | 			},
 72 | 		},
 73 | 		{
 74 | 			`<a{{.}}>`,
 75 | 			[]string{
 76 | 				`ZgotmplZ`,
 77 | 				`ZgotmplZ`,
 78 | 				`ZgotmplZ`,
 79 | 				// Allowed and HTML escaped.
 80 | 				` dir="ltr"`,
 81 | 				`ZgotmplZ`,
 82 | 				`ZgotmplZ`,
 83 | 				`ZgotmplZ`,
 84 | 			},
 85 | 		},
 86 | 		{
 87 | 			`<a title={{.}}>`,
 88 | 			[]string{
 89 | 				`&lt;b&gt;&#32;&#34;foo%&#34;&#32;O&#39;Reilly&#32;&amp;bar;`,
 90 | 				`a[href&#32;&#61;~&#32;&#34;//example.com&#34;]#foo`,
 91 | 				// Tags stripped, spaces escaped, entity not re-escaped.
 92 | 				`Hello,&#32;World&#32;&amp;tc!`,
 93 | 				`&#32;dir&#61;&#34;ltr&#34;`,
 94 | 				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
 95 | 				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
 96 | 				`greeting&#61;H%69&amp;addressee&#61;(World)`,
 97 | 			},
 98 | 		},
 99 | 		{
100 | 			`<a title='{{.}}'>`,
101 | 			[]string{
102 | 				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
103 | 				`a[href =~ &#34;//example.com&#34;]#foo`,
104 | 				// Tags stripped, entity not re-escaped.
105 | 				`Hello, World &amp;tc!`,
106 | 				` dir=&#34;ltr&#34;`,
107 | 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
108 | 				`Hello, World &amp; O&#39;Reilly\x21`,
109 | 				`greeting=H%69&amp;addressee=(World)`,
110 | 			},
111 | 		},
112 | 		{
113 | 			`<textarea>{{.}}</textarea>`,
114 | 			[]string{
115 | 				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
116 | 				`a[href =~ &#34;//example.com&#34;]#foo`,
117 | 				// Angle brackets escaped to prevent injection of close tags, entity not re-escaped.
118 | 				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
119 | 				` dir=&#34;ltr&#34;`,
120 | 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
121 | 				`Hello, World &amp; O&#39;Reilly\x21`,
122 | 				`greeting=H%69&amp;addressee=(World)`,
123 | 			},
124 | 		},
125 | 		{
126 | 			`<script>alert({{.}})</script>`,
127 | 			[]string{
128 | 				`"\u003cb\u003e \"foo%\" O'Reilly &bar;"`,
129 | 				`"a[href =~ \"//example.com\"]#foo"`,
130 | 				`"Hello, \u003cb\u003eWorld\u003c/b\u003e &amp;tc!"`,
131 | 				`" dir=\"ltr\""`,
132 | 				// Not escaped.
133 | 				`c && alert("Hello, World!");`,
134 | 				// Escape sequence not over-escaped.
135 | 				`"Hello, World & O'Reilly\x21"`,
136 | 				`"greeting=H%69&addressee=(World)"`,
137 | 			},
138 | 		},
139 | 		{
140 | 			`<button onclick="alert({{.}})">`,
141 | 			[]string{
142 | 				`&#34;\u003cb\u003e \&#34;foo%\&#34; O&#39;Reilly &amp;bar;&#34;`,
143 | 				`&#34;a[href =~ \&#34;//example.com\&#34;]#foo&#34;`,
144 | 				`&#34;Hello, \u003cb\u003eWorld\u003c/b\u003e &amp;amp;tc!&#34;`,
145 | 				`&#34; dir=\&#34;ltr\&#34;&#34;`,
146 | 				// Not JS escaped but HTML escaped.
147 | 				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
148 | 				// Escape sequence not over-escaped.
149 | 				`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
150 | 				`&#34;greeting=H%69&amp;addressee=(World)&#34;`,
151 | 			},
152 | 		},
153 | 		{
154 | 			`<script>alert("{{.}}")</script>`,
155 | 			[]string{
156 | 				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
157 | 				`a[href =~ \x22\/\/example.com\x22]#foo`,
158 | 				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
159 | 				` dir=\x22ltr\x22`,
160 | 				`c \x26\x26 alert(\x22Hello, World!\x22);`,
161 | 				// Escape sequence not over-escaped.
162 | 				`Hello, World \x26 O\x27Reilly\x21`,
163 | 				`greeting=H%69\x26addressee=(World)`,
164 | 			},
165 | 		},
166 | 		{
167 | 			`<button onclick='alert("{{.}}")'>`,
168 | 			[]string{
169 | 				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
170 | 				`a[href =~ \x22\/\/example.com\x22]#foo`,
171 | 				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
172 | 				` dir=\x22ltr\x22`,
173 | 				`c \x26\x26 alert(\x22Hello, World!\x22);`,
174 | 				// Escape sequence not over-escaped.
175 | 				`Hello, World \x26 O\x27Reilly\x21`,
176 | 				`greeting=H%69\x26addressee=(World)`,
177 | 			},
178 | 		},
179 | 		{
180 | 			`<a href="?q={{.}}">`,
181 | 			[]string{
182 | 				`%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b`,
183 | 				`a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo`,
184 | 				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
185 | 				`%20dir%3d%22ltr%22`,
186 | 				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
187 | 				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
188 | 				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
189 | 				`greeting=H%69&amp;addressee=%28World%29`,
190 | 			},
191 | 		},
192 | 		{
193 | 			`<style>body { background: url('?img={{.}}') }</style>`,
194 | 			[]string{
195 | 				`%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b`,
196 | 				`a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo`,
197 | 				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
198 | 				`%20dir%3d%22ltr%22`,
199 | 				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
200 | 				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
201 | 				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
202 | 				`greeting=H%69&addressee=%28World%29`,
203 | 			},
204 | 		},
205 | 	}
206 | 
207 | 	for _, test := range tests {
208 | 		text := fmt.Sprintf(`{{define "t"}}%s{{end}}`, test.input)
209 | 		tmpl, err := new(Set).Parse(text)
210 | 		if err != nil {
211 | 			t.Fatalf("failed parsing %q: %s", text, err)
212 | 		}
213 | 		tmpl.Escape()
214 | 		pre := strings.Index(test.input, "{{.}}")
215 | 		post := len(test.input) - (pre + 5)
216 | 		var b bytes.Buffer
217 | 		for i, x := range data {
218 | 			b.Reset()
219 | 			if err := tmpl.Execute(&b, "t", x); err != nil {
220 | 				t.Errorf("%q with %v: %s", test.input, x, err)
221 | 				continue
222 | 			}
223 | 			if want, got := test.want[i], b.String()[pre:b.Len()-post]; want != got {
224 | 				t.Errorf("%q with %v:\nwant\n\t%q,\ngot\n\t%q\n", test.input, x, want, got)
225 | 				continue
226 | 			}
227 | 		}
228 | 	}
229 | }
230 | 
231 | // Test that we print using the String method. Was issue 3073.
232 | type contentStringer struct {
233 | 	v int
234 | }
235 | 
236 | func (s *contentStringer) String() string {
237 | 	return fmt.Sprintf("string=%d", s.v)
238 | }
239 | 
240 | type errorer struct {
241 | 	v int
242 | }
243 | 
244 | func (s *errorer) Error() string {
245 | 	return fmt.Sprintf("error=%d", s.v)
246 | }
247 | 
248 | func TestStringer(t *testing.T) {
249 | 	s := &contentStringer{3}
250 | 	b := new(bytes.Buffer)
251 | 	tmpl, err := new(Set).Parse(`{{define "t"}}{{.}}{{end}}`)
252 | 	if err != nil {
253 | 		t.Fatalf("failed parsing: %s", err)
254 | 	}
255 | 	tmpl.Escape()
256 | 	if err := tmpl.Execute(b, "t", s); err != nil {
257 | 		t.Fatal(err)
258 | 	}
259 | 	var expect = "string=3"
260 | 	if b.String() != expect {
261 | 		t.Errorf("expected %q got %q", expect, b.String())
262 | 	}
263 | 	e := &errorer{7}
264 | 	b.Reset()
265 | 	if err := tmpl.Execute(b, "t", e); err != nil {
266 | 		t.Fatal(err)
267 | 	}
268 | 	expect = "error=7"
269 | 	if b.String() != expect {
270 | 		t.Errorf("expected %q got %q", expect, b.String())
271 | 	}
272 | }
273 | 


--------------------------------------------------------------------------------
/v0/doc.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2011 The Go Authors. All rights reserved.
 2 | // Use of this source code is governed by a BSD-style
 3 | // license that can be found in the LICENSE file.
 4 | 
 5 | /*
 6 | Package gorilla/template is a template engine to generate textual or HTML
 7 | output.
 8 | 
 9 | It is based on the standard text/template and html/template packages.
10 | 
11 | Here's the simplest example to render a template:
12 | 
13 | 	set, err := new(template.Set).Parse(`{{define "hello"}}Hello, World.{{end}}`)
14 | 	if err != nil {
15 | 		// do something with the parsing error...
16 | 	}
17 | 	err = set.Execute(os.Stderr, "hello", nil)
18 | 	if err != nil {
19 | 		// do something with the execution error...
20 | 	}
21 | 
22 | First we create a Set, which stores a collection of templates. Then we call
23 | Parse() to parse a string and add the templates defined there to the set.
24 | Finally we call Execute() to render the template named "hello" using the given
25 | data (in this case, nil), and write the output to an io.Writer (in this case,
26 | os.Stderr).
27 | 
28 | Parse() can be called multiple times to fill the set with as many template
29 | definitions as needed. There are also ParseFiles() and ParseGlob() methods
30 | to read and parse the contents from files.
31 | 
32 | Template names must be unique within a set.
33 | */
34 | package template
35 | 


--------------------------------------------------------------------------------
/v0/escape/attr.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"strings"
  9 | )
 10 | 
 11 | // attrTypeMap[n] describes the value of the given attribute.
 12 | // If an attribute affects (or can mask) the encoding or interpretation of
 13 | // other content, or affects the contents, idempotency, or credentials of a
 14 | // network message, then the value in this map is contentTypeUnsafe.
 15 | // This map is derived from HTML5, specifically
 16 | // http://www.w3.org/TR/html5/Overview.html#attributes-1
 17 | // as well as "%URI"-typed attributes from
 18 | // http://www.w3.org/TR/html4/index/attributes.html
 19 | var attrTypeMap = map[string]contentType{
 20 | 	"accept":          contentTypePlain,
 21 | 	"accept-charset":  contentTypeUnsafe,
 22 | 	"action":          contentTypeURL,
 23 | 	"alt":             contentTypePlain,
 24 | 	"archive":         contentTypeURL,
 25 | 	"async":           contentTypeUnsafe,
 26 | 	"autocomplete":    contentTypePlain,
 27 | 	"autofocus":       contentTypePlain,
 28 | 	"autoplay":        contentTypePlain,
 29 | 	"background":      contentTypeURL,
 30 | 	"border":          contentTypePlain,
 31 | 	"checked":         contentTypePlain,
 32 | 	"cite":            contentTypeURL,
 33 | 	"challenge":       contentTypeUnsafe,
 34 | 	"charset":         contentTypeUnsafe,
 35 | 	"class":           contentTypePlain,
 36 | 	"classid":         contentTypeURL,
 37 | 	"codebase":        contentTypeURL,
 38 | 	"cols":            contentTypePlain,
 39 | 	"colspan":         contentTypePlain,
 40 | 	"content":         contentTypeUnsafe,
 41 | 	"contenteditable": contentTypePlain,
 42 | 	"contextmenu":     contentTypePlain,
 43 | 	"controls":        contentTypePlain,
 44 | 	"coords":          contentTypePlain,
 45 | 	"crossorigin":     contentTypeUnsafe,
 46 | 	"data":            contentTypeURL,
 47 | 	"datetime":        contentTypePlain,
 48 | 	"default":         contentTypePlain,
 49 | 	"defer":           contentTypeUnsafe,
 50 | 	"dir":             contentTypePlain,
 51 | 	"dirname":         contentTypePlain,
 52 | 	"disabled":        contentTypePlain,
 53 | 	"draggable":       contentTypePlain,
 54 | 	"dropzone":        contentTypePlain,
 55 | 	"enctype":         contentTypeUnsafe,
 56 | 	"for":             contentTypePlain,
 57 | 	"form":            contentTypeUnsafe,
 58 | 	"formaction":      contentTypeURL,
 59 | 	"formenctype":     contentTypeUnsafe,
 60 | 	"formmethod":      contentTypeUnsafe,
 61 | 	"formnovalidate":  contentTypeUnsafe,
 62 | 	"formtarget":      contentTypePlain,
 63 | 	"headers":         contentTypePlain,
 64 | 	"height":          contentTypePlain,
 65 | 	"hidden":          contentTypePlain,
 66 | 	"high":            contentTypePlain,
 67 | 	"href":            contentTypeURL,
 68 | 	"hreflang":        contentTypePlain,
 69 | 	"http-equiv":      contentTypeUnsafe,
 70 | 	"icon":            contentTypeURL,
 71 | 	"id":              contentTypePlain,
 72 | 	"ismap":           contentTypePlain,
 73 | 	"keytype":         contentTypeUnsafe,
 74 | 	"kind":            contentTypePlain,
 75 | 	"label":           contentTypePlain,
 76 | 	"lang":            contentTypePlain,
 77 | 	"language":        contentTypeUnsafe,
 78 | 	"list":            contentTypePlain,
 79 | 	"longdesc":        contentTypeURL,
 80 | 	"loop":            contentTypePlain,
 81 | 	"low":             contentTypePlain,
 82 | 	"manifest":        contentTypeURL,
 83 | 	"max":             contentTypePlain,
 84 | 	"maxlength":       contentTypePlain,
 85 | 	"media":           contentTypePlain,
 86 | 	"mediagroup":      contentTypePlain,
 87 | 	"method":          contentTypeUnsafe,
 88 | 	"min":             contentTypePlain,
 89 | 	"multiple":        contentTypePlain,
 90 | 	"name":            contentTypePlain,
 91 | 	"novalidate":      contentTypeUnsafe,
 92 | 	// Skip handler names from
 93 | 	// http://www.w3.org/TR/html5/Overview.html#event-handlers-on-elements-document-objects-and-window-objects
 94 | 	// since we have special handling in attrType.
 95 | 	"open":        contentTypePlain,
 96 | 	"optimum":     contentTypePlain,
 97 | 	"pattern":     contentTypeUnsafe,
 98 | 	"placeholder": contentTypePlain,
 99 | 	"poster":      contentTypeURL,
100 | 	"profile":     contentTypeURL,
101 | 	"preload":     contentTypePlain,
102 | 	"pubdate":     contentTypePlain,
103 | 	"radiogroup":  contentTypePlain,
104 | 	"readonly":    contentTypePlain,
105 | 	"rel":         contentTypeUnsafe,
106 | 	"required":    contentTypePlain,
107 | 	"reversed":    contentTypePlain,
108 | 	"rows":        contentTypePlain,
109 | 	"rowspan":     contentTypePlain,
110 | 	"sandbox":     contentTypeUnsafe,
111 | 	"spellcheck":  contentTypePlain,
112 | 	"scope":       contentTypePlain,
113 | 	"scoped":      contentTypePlain,
114 | 	"seamless":    contentTypePlain,
115 | 	"selected":    contentTypePlain,
116 | 	"shape":       contentTypePlain,
117 | 	"size":        contentTypePlain,
118 | 	"sizes":       contentTypePlain,
119 | 	"span":        contentTypePlain,
120 | 	"src":         contentTypeURL,
121 | 	"srcdoc":      contentTypeHTML,
122 | 	"srclang":     contentTypePlain,
123 | 	"start":       contentTypePlain,
124 | 	"step":        contentTypePlain,
125 | 	"style":       contentTypeCSS,
126 | 	"tabindex":    contentTypePlain,
127 | 	"target":      contentTypePlain,
128 | 	"title":       contentTypePlain,
129 | 	"type":        contentTypeUnsafe,
130 | 	"usemap":      contentTypeURL,
131 | 	"value":       contentTypeUnsafe,
132 | 	"width":       contentTypePlain,
133 | 	"wrap":        contentTypePlain,
134 | 	"xmlns":       contentTypeURL,
135 | }
136 | 
137 | // attrType returns a conservative (upper-bound on authority) guess at the
138 | // type of the named attribute.
139 | func attrType(name string) contentType {
140 | 	name = strings.ToLower(name)
141 | 	if strings.HasPrefix(name, "data-") {
142 | 		// Strip data- so that custom attribute heuristics below are
143 | 		// widely applied.
144 | 		// Treat data-action as URL below.
145 | 		name = name[5:]
146 | 	} else if colon := strings.IndexRune(name, ':'); colon != -1 {
147 | 		if name[:colon] == "xmlns" {
148 | 			return contentTypeURL
149 | 		}
150 | 		// Treat svg:href and xlink:href as href below.
151 | 		name = name[colon+1:]
152 | 	}
153 | 	if t, ok := attrTypeMap[name]; ok {
154 | 		return t
155 | 	}
156 | 	// Treat partial event handler names as script.
157 | 	if strings.HasPrefix(name, "on") {
158 | 		return contentTypeJS
159 | 	}
160 | 
161 | 	// Heuristics to prevent "javascript:..." injection in custom
162 | 	// data attributes and custom attributes like g:tweetUrl.
163 | 	// http://www.w3.org/TR/html5/elements.html#embedding-custom-non-visible-data-with-the-data-attributes:
164 | 	// "Custom data attributes are intended to store custom data
165 | 	//  private to the page or application, for which there are no
166 | 	//  more appropriate attributes or elements."
167 | 	// Developers seem to store URL content in data URLs that start
168 | 	// or end with "URI" or "URL".
169 | 	if strings.Contains(name, "src") ||
170 | 		strings.Contains(name, "uri") ||
171 | 		strings.Contains(name, "url") {
172 | 		return contentTypeURL
173 | 	}
174 | 	return contentTypePlain
175 | }
176 | 


--------------------------------------------------------------------------------
/v0/escape/content.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"reflect"
 10 | )
 11 | 
 12 | // Strings of content from a trusted source.
 13 | type (
 14 | 	// CSS encapsulates known safe content that matches any of:
 15 | 	//   1. The CSS3 stylesheet production, such as `p { color: purple }`.
 16 | 	//   2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
 17 | 	//   3. CSS3 declaration productions, such as `color: red; margin: 2px`.
 18 | 	//   4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.
 19 | 	// See http://www.w3.org/TR/css3-syntax/#style
 20 | 	CSS string
 21 | 
 22 | 	// HTML encapsulates a known safe HTML document fragment.
 23 | 	// It should not be used for HTML from a third-party, or HTML with
 24 | 	// unclosed tags or comments. The outputs of a sound HTML sanitizer
 25 | 	// and a template escaped by this package are fine for use with HTML.
 26 | 	HTML string
 27 | 
 28 | 	// HTMLAttr encapsulates an HTML attribute from a trusted source,
 29 | 	// for example, ` dir="ltr"`.
 30 | 	HTMLAttr string
 31 | 
 32 | 	// JS encapsulates a known safe EcmaScript5 Expression, for example,
 33 | 	// `(x + y * z())`.
 34 | 	// Template authors are responsible for ensuring that typed expressions
 35 | 	// do not break the intended precedence and that there is no
 36 | 	// statement/expression ambiguity as when passing an expression like
 37 | 	// "{ foo: bar() }\n['foo']()", which is both a valid Expression and a
 38 | 	// valid Program with a very different meaning.
 39 | 	JS string
 40 | 
 41 | 	// JSStr encapsulates a sequence of characters meant to be embedded
 42 | 	// between quotes in a JavaScript expression.
 43 | 	// The string must match a series of StringCharacters:
 44 | 	//   StringCharacter :: SourceCharacter but not `\` or LineTerminator
 45 | 	//                    | EscapeSequence
 46 | 	// Note that LineContinuations are not allowed.
 47 | 	// JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not.
 48 | 	JSStr string
 49 | 
 50 | 	// URL encapsulates a known safe URL or URL substring (see RFC 3986).
 51 | 	// A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()`
 52 | 	// from a trusted source should go in the page, but by default dynamic
 53 | 	// `javascript:` URLs are filtered out since they are a frequently
 54 | 	// exploited injection vector.
 55 | 	URL string
 56 | )
 57 | 
 58 | type contentType uint8
 59 | 
 60 | const (
 61 | 	contentTypePlain contentType = iota
 62 | 	contentTypeCSS
 63 | 	contentTypeHTML
 64 | 	contentTypeHTMLAttr
 65 | 	contentTypeJS
 66 | 	contentTypeJSStr
 67 | 	contentTypeURL
 68 | 	// contentTypeUnsafe is used in attr.go for values that affect how
 69 | 	// embedded content and network messages are formed, vetted,
 70 | 	// or interpreted; or which credentials network messages carry.
 71 | 	contentTypeUnsafe
 72 | )
 73 | 
 74 | // indirect returns the value, after dereferencing as many times
 75 | // as necessary to reach the base type (or nil).
 76 | func indirect(a interface{}) interface{} {
 77 | 	if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr {
 78 | 		// Avoid creating a reflect.Value if it's not a pointer.
 79 | 		return a
 80 | 	}
 81 | 	v := reflect.ValueOf(a)
 82 | 	for v.Kind() == reflect.Ptr && !v.IsNil() {
 83 | 		v = v.Elem()
 84 | 	}
 85 | 	return v.Interface()
 86 | }
 87 | 
 88 | var (
 89 | 	errorType       = reflect.TypeOf((*error)(nil)).Elem()
 90 | 	fmtStringerType = reflect.TypeOf((*fmt.Stringer)(nil)).Elem()
 91 | )
 92 | 
 93 | // indirectToStringerOrError returns the value, after dereferencing as many times
 94 | // as necessary to reach the base type (or nil) or an implementation of fmt.Stringer
 95 | // or error,
 96 | func indirectToStringerOrError(a interface{}) interface{} {
 97 | 	v := reflect.ValueOf(a)
 98 | 	for !v.Type().Implements(fmtStringerType) && !v.Type().Implements(errorType) && v.Kind() == reflect.Ptr && !v.IsNil() {
 99 | 		v = v.Elem()
100 | 	}
101 | 	return v.Interface()
102 | }
103 | 
104 | // stringify converts its arguments to a string and the type of the content.
105 | // All pointers are dereferenced, as in the text/template package.
106 | func stringify(args ...interface{}) (string, contentType) {
107 | 	if len(args) == 1 {
108 | 		switch s := indirect(args[0]).(type) {
109 | 		case string:
110 | 			return s, contentTypePlain
111 | 		case CSS:
112 | 			return string(s), contentTypeCSS
113 | 		case HTML:
114 | 			return string(s), contentTypeHTML
115 | 		case HTMLAttr:
116 | 			return string(s), contentTypeHTMLAttr
117 | 		case JS:
118 | 			return string(s), contentTypeJS
119 | 		case JSStr:
120 | 			return string(s), contentTypeJSStr
121 | 		case URL:
122 | 			return string(s), contentTypeURL
123 | 		}
124 | 	}
125 | 	for i, arg := range args {
126 | 		args[i] = indirectToStringerOrError(arg)
127 | 	}
128 | 	return fmt.Sprint(args...), contentTypePlain
129 | }
130 | 


--------------------------------------------------------------------------------
/v0/escape/context.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | )
 10 | 
 11 | // context describes the state an HTML parser must be in when it reaches the
 12 | // portion of HTML produced by evaluating a particular template node.
 13 | //
 14 | // The zero value of type context is the start context for a template that
 15 | // produces an HTML fragment as defined at
 16 | // http://www.w3.org/TR/html5/the-end.html#parsing-html-fragments
 17 | // where the context element is null.
 18 | type context struct {
 19 | 	state   state
 20 | 	delim   delim
 21 | 	urlPart urlPart
 22 | 	jsCtx   jsCtx
 23 | 	attr    attr
 24 | 	element element
 25 | 	err     *Error
 26 | }
 27 | 
 28 | func (c context) String() string {
 29 | 	return fmt.Sprintf("{%v %v %v %v %v %v %v}", c.state, c.delim, c.urlPart, c.jsCtx, c.attr, c.element, c.err)
 30 | }
 31 | 
 32 | // eq returns whether two contexts are equal.
 33 | func (c context) eq(d context) bool {
 34 | 	return c.state == d.state &&
 35 | 		c.delim == d.delim &&
 36 | 		c.urlPart == d.urlPart &&
 37 | 		c.jsCtx == d.jsCtx &&
 38 | 		c.attr == d.attr &&
 39 | 		c.element == d.element &&
 40 | 		c.err == d.err
 41 | }
 42 | 
 43 | // mangle produces an identifier that includes a suffix that distinguishes it
 44 | // from template names mangled with different contexts.
 45 | func (c context) mangle(templateName string) string {
 46 | 	// The mangled name for the default context is the input templateName.
 47 | 	if c.state == stateText {
 48 | 		return templateName
 49 | 	}
 50 | 	s := templateName + "$htmltemplate_" + c.state.String()
 51 | 	if c.delim != 0 {
 52 | 		s += "_" + c.delim.String()
 53 | 	}
 54 | 	if c.urlPart != 0 {
 55 | 		s += "_" + c.urlPart.String()
 56 | 	}
 57 | 	if c.jsCtx != 0 {
 58 | 		s += "_" + c.jsCtx.String()
 59 | 	}
 60 | 	if c.attr != 0 {
 61 | 		s += "_" + c.attr.String()
 62 | 	}
 63 | 	if c.element != 0 {
 64 | 		s += "_" + c.element.String()
 65 | 	}
 66 | 	return s
 67 | }
 68 | 
 69 | // state describes a high-level HTML parser state.
 70 | //
 71 | // It bounds the top of the element stack, and by extension the HTML insertion
 72 | // mode, but also contains state that does not correspond to anything in the
 73 | // HTML5 parsing algorithm because a single token production in the HTML
 74 | // grammar may contain embedded actions in a template. For instance, the quoted
 75 | // HTML attribute produced by
 76 | //     <div title="Hello {{.World}}">
 77 | // is a single token in HTML's grammar but in a template spans several nodes.
 78 | type state uint8
 79 | 
 80 | const (
 81 | 	// stateText is parsed character data. An HTML parser is in
 82 | 	// this state when its parse position is outside an HTML tag,
 83 | 	// directive, comment, and special element body.
 84 | 	stateText state = iota
 85 | 	// stateTag occurs before an HTML attribute or the end of a tag.
 86 | 	stateTag
 87 | 	// stateAttrName occurs inside an attribute name.
 88 | 	// It occurs between the ^'s in ` ^name^ = value`.
 89 | 	stateAttrName
 90 | 	// stateAfterName occurs after an attr name has ended but before any
 91 | 	// equals sign. It occurs between the ^'s in ` name^ ^= value`.
 92 | 	stateAfterName
 93 | 	// stateBeforeValue occurs after the equals sign but before the value.
 94 | 	// It occurs between the ^'s in ` name =^ ^value`.
 95 | 	stateBeforeValue
 96 | 	// stateHTMLCmt occurs inside an <!-- HTML comment -->.
 97 | 	stateHTMLCmt
 98 | 	// stateRCDATA occurs inside an RCDATA element (<textarea> or <title>)
 99 | 	// as described at http://dev.w3.org/html5/spec/syntax.html#elements-0
100 | 	stateRCDATA
101 | 	// stateAttr occurs inside an HTML attribute whose content is text.
102 | 	stateAttr
103 | 	// stateURL occurs inside an HTML attribute whose content is a URL.
104 | 	stateURL
105 | 	// stateJS occurs inside an event handler or script element.
106 | 	stateJS
107 | 	// stateJSDqStr occurs inside a JavaScript double quoted string.
108 | 	stateJSDqStr
109 | 	// stateJSSqStr occurs inside a JavaScript single quoted string.
110 | 	stateJSSqStr
111 | 	// stateJSRegexp occurs inside a JavaScript regexp literal.
112 | 	stateJSRegexp
113 | 	// stateJSBlockCmt occurs inside a JavaScript /* block comment */.
114 | 	stateJSBlockCmt
115 | 	// stateJSLineCmt occurs inside a JavaScript // line comment.
116 | 	stateJSLineCmt
117 | 	// stateCSS occurs inside a <style> element or style attribute.
118 | 	stateCSS
119 | 	// stateCSSDqStr occurs inside a CSS double quoted string.
120 | 	stateCSSDqStr
121 | 	// stateCSSSqStr occurs inside a CSS single quoted string.
122 | 	stateCSSSqStr
123 | 	// stateCSSDqURL occurs inside a CSS double quoted url("...").
124 | 	stateCSSDqURL
125 | 	// stateCSSSqURL occurs inside a CSS single quoted url('...').
126 | 	stateCSSSqURL
127 | 	// stateCSSURL occurs inside a CSS unquoted url(...).
128 | 	stateCSSURL
129 | 	// stateCSSBlockCmt occurs inside a CSS /* block comment */.
130 | 	stateCSSBlockCmt
131 | 	// stateCSSLineCmt occurs inside a CSS // line comment.
132 | 	stateCSSLineCmt
133 | 	// stateError is an infectious error state outside any valid
134 | 	// HTML/CSS/JS construct.
135 | 	stateError
136 | )
137 | 
138 | var stateNames = [...]string{
139 | 	stateText:        "stateText",
140 | 	stateTag:         "stateTag",
141 | 	stateAttrName:    "stateAttrName",
142 | 	stateAfterName:   "stateAfterName",
143 | 	stateBeforeValue: "stateBeforeValue",
144 | 	stateHTMLCmt:     "stateHTMLCmt",
145 | 	stateRCDATA:      "stateRCDATA",
146 | 	stateAttr:        "stateAttr",
147 | 	stateURL:         "stateURL",
148 | 	stateJS:          "stateJS",
149 | 	stateJSDqStr:     "stateJSDqStr",
150 | 	stateJSSqStr:     "stateJSSqStr",
151 | 	stateJSRegexp:    "stateJSRegexp",
152 | 	stateJSBlockCmt:  "stateJSBlockCmt",
153 | 	stateJSLineCmt:   "stateJSLineCmt",
154 | 	stateCSS:         "stateCSS",
155 | 	stateCSSDqStr:    "stateCSSDqStr",
156 | 	stateCSSSqStr:    "stateCSSSqStr",
157 | 	stateCSSDqURL:    "stateCSSDqURL",
158 | 	stateCSSSqURL:    "stateCSSSqURL",
159 | 	stateCSSURL:      "stateCSSURL",
160 | 	stateCSSBlockCmt: "stateCSSBlockCmt",
161 | 	stateCSSLineCmt:  "stateCSSLineCmt",
162 | 	stateError:       "stateError",
163 | }
164 | 
165 | func (s state) String() string {
166 | 	if int(s) < len(stateNames) {
167 | 		return stateNames[s]
168 | 	}
169 | 	return fmt.Sprintf("illegal state %d", int(s))
170 | }
171 | 
172 | // isComment is true for any state that contains content meant for template
173 | // authors & maintainers, not for end-users or machines.
174 | func isComment(s state) bool {
175 | 	switch s {
176 | 	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
177 | 		return true
178 | 	}
179 | 	return false
180 | }
181 | 
182 | // isInTag return whether s occurs solely inside an HTML tag.
183 | func isInTag(s state) bool {
184 | 	switch s {
185 | 	case stateTag, stateAttrName, stateAfterName, stateBeforeValue, stateAttr:
186 | 		return true
187 | 	}
188 | 	return false
189 | }
190 | 
191 | // delim is the delimiter that will end the current HTML attribute.
192 | type delim uint8
193 | 
194 | const (
195 | 	// delimNone occurs outside any attribute.
196 | 	delimNone delim = iota
197 | 	// delimDoubleQuote occurs when a double quote (") closes the attribute.
198 | 	delimDoubleQuote
199 | 	// delimSingleQuote occurs when a single quote (') closes the attribute.
200 | 	delimSingleQuote
201 | 	// delimSpaceOrTagEnd occurs when a space or right angle bracket (>)
202 | 	// closes the attribute.
203 | 	delimSpaceOrTagEnd
204 | )
205 | 
206 | var delimNames = [...]string{
207 | 	delimNone:          "delimNone",
208 | 	delimDoubleQuote:   "delimDoubleQuote",
209 | 	delimSingleQuote:   "delimSingleQuote",
210 | 	delimSpaceOrTagEnd: "delimSpaceOrTagEnd",
211 | }
212 | 
213 | func (d delim) String() string {
214 | 	if int(d) < len(delimNames) {
215 | 		return delimNames[d]
216 | 	}
217 | 	return fmt.Sprintf("illegal delim %d", int(d))
218 | }
219 | 
220 | // urlPart identifies a part in an RFC 3986 hierarchical URL to allow different
221 | // encoding strategies.
222 | type urlPart uint8
223 | 
224 | const (
225 | 	// urlPartNone occurs when not in a URL, or possibly at the start:
226 | 	// ^ in "^http://auth/path?k=v#frag".
227 | 	urlPartNone urlPart = iota
228 | 	// urlPartPreQuery occurs in the scheme, authority, or path; between the
229 | 	// ^s in "h^ttp://auth/path^?k=v#frag".
230 | 	urlPartPreQuery
231 | 	// urlPartQueryOrFrag occurs in the query portion between the ^s in
232 | 	// "http://auth/path?^k=v#frag^".
233 | 	urlPartQueryOrFrag
234 | 	// urlPartUnknown occurs due to joining of contexts both before and
235 | 	// after the query separator.
236 | 	urlPartUnknown
237 | )
238 | 
239 | var urlPartNames = [...]string{
240 | 	urlPartNone:        "urlPartNone",
241 | 	urlPartPreQuery:    "urlPartPreQuery",
242 | 	urlPartQueryOrFrag: "urlPartQueryOrFrag",
243 | 	urlPartUnknown:     "urlPartUnknown",
244 | }
245 | 
246 | func (u urlPart) String() string {
247 | 	if int(u) < len(urlPartNames) {
248 | 		return urlPartNames[u]
249 | 	}
250 | 	return fmt.Sprintf("illegal urlPart %d", int(u))
251 | }
252 | 
253 | // jsCtx determines whether a '/' starts a regular expression literal or a
254 | // division operator.
255 | type jsCtx uint8
256 | 
257 | const (
258 | 	// jsCtxRegexp occurs where a '/' would start a regexp literal.
259 | 	jsCtxRegexp jsCtx = iota
260 | 	// jsCtxDivOp occurs where a '/' would start a division operator.
261 | 	jsCtxDivOp
262 | 	// jsCtxUnknown occurs where a '/' is ambiguous due to context joining.
263 | 	jsCtxUnknown
264 | )
265 | 
266 | func (c jsCtx) String() string {
267 | 	switch c {
268 | 	case jsCtxRegexp:
269 | 		return "jsCtxRegexp"
270 | 	case jsCtxDivOp:
271 | 		return "jsCtxDivOp"
272 | 	case jsCtxUnknown:
273 | 		return "jsCtxUnknown"
274 | 	}
275 | 	return fmt.Sprintf("illegal jsCtx %d", int(c))
276 | }
277 | 
278 | // element identifies the HTML element when inside a start tag or special body.
279 | // Certain HTML element (for example <script> and <style>) have bodies that are
280 | // treated differently from stateText so the element type is necessary to
281 | // transition into the correct context at the end of a tag and to identify the
282 | // end delimiter for the body.
283 | type element uint8
284 | 
285 | const (
286 | 	// elementNone occurs outside a special tag or special element body.
287 | 	elementNone element = iota
288 | 	// elementScript corresponds to the raw text <script> element.
289 | 	elementScript
290 | 	// elementStyle corresponds to the raw text <style> element.
291 | 	elementStyle
292 | 	// elementTextarea corresponds to the RCDATA <textarea> element.
293 | 	elementTextarea
294 | 	// elementTitle corresponds to the RCDATA <title> element.
295 | 	elementTitle
296 | )
297 | 
298 | var elementNames = [...]string{
299 | 	elementNone:     "elementNone",
300 | 	elementScript:   "elementScript",
301 | 	elementStyle:    "elementStyle",
302 | 	elementTextarea: "elementTextarea",
303 | 	elementTitle:    "elementTitle",
304 | }
305 | 
306 | func (e element) String() string {
307 | 	if int(e) < len(elementNames) {
308 | 		return elementNames[e]
309 | 	}
310 | 	return fmt.Sprintf("illegal element %d", int(e))
311 | }
312 | 
313 | // attr identifies the most recent HTML attribute when inside a start tag.
314 | type attr uint8
315 | 
316 | const (
317 | 	// attrNone corresponds to a normal attribute or no attribute.
318 | 	attrNone attr = iota
319 | 	// attrScript corresponds to an event handler attribute.
320 | 	attrScript
321 | 	// attrStyle corresponds to the style attribute whose value is CSS.
322 | 	attrStyle
323 | 	// attrURL corresponds to an attribute whose value is a URL.
324 | 	attrURL
325 | )
326 | 
327 | var attrNames = [...]string{
328 | 	attrNone:   "attrNone",
329 | 	attrScript: "attrScript",
330 | 	attrStyle:  "attrStyle",
331 | 	attrURL:    "attrURL",
332 | }
333 | 
334 | func (a attr) String() string {
335 | 	if int(a) < len(attrNames) {
336 | 		return attrNames[a]
337 | 	}
338 | 	return fmt.Sprintf("illegal attr %d", int(a))
339 | }
340 | 


--------------------------------------------------------------------------------
/v0/escape/css.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"fmt"
 10 | 	"unicode"
 11 | 	"unicode/utf8"
 12 | )
 13 | 
 14 | // endsWithCSSKeyword returns whether b ends with an ident that
 15 | // case-insensitively matches the lower-case kw.
 16 | func endsWithCSSKeyword(b []byte, kw string) bool {
 17 | 	i := len(b) - len(kw)
 18 | 	if i < 0 {
 19 | 		// Too short.
 20 | 		return false
 21 | 	}
 22 | 	if i != 0 {
 23 | 		r, _ := utf8.DecodeLastRune(b[:i])
 24 | 		if isCSSNmchar(r) {
 25 | 			// Too long.
 26 | 			return false
 27 | 		}
 28 | 	}
 29 | 	// Many CSS keywords, such as "!important" can have characters encoded,
 30 | 	// but the URI production does not allow that according to
 31 | 	// http://www.w3.org/TR/css3-syntax/#TOK-URI
 32 | 	// This does not attempt to recognize encoded keywords. For example,
 33 | 	// given "\75\72\6c" and "url" this return false.
 34 | 	return string(bytes.ToLower(b[i:])) == kw
 35 | }
 36 | 
 37 | // isCSSNmchar returns whether rune is allowed anywhere in a CSS identifier.
 38 | func isCSSNmchar(r rune) bool {
 39 | 	// Based on the CSS3 nmchar production but ignores multi-rune escape
 40 | 	// sequences.
 41 | 	// http://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar
 42 | 	return 'a' <= r && r <= 'z' ||
 43 | 		'A' <= r && r <= 'Z' ||
 44 | 		'0' <= r && r <= '9' ||
 45 | 		r == '-' ||
 46 | 		r == '_' ||
 47 | 		// Non-ASCII cases below.
 48 | 		0x80 <= r && r <= 0xd7ff ||
 49 | 		0xe000 <= r && r <= 0xfffd ||
 50 | 		0x10000 <= r && r <= 0x10ffff
 51 | }
 52 | 
 53 | // decodeCSS decodes CSS3 escapes given a sequence of stringchars.
 54 | // If there is no change, it returns the input, otherwise it returns a slice
 55 | // backed by a new array.
 56 | // http://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
 57 | func decodeCSS(s []byte) []byte {
 58 | 	i := bytes.IndexByte(s, '\\')
 59 | 	if i == -1 {
 60 | 		return s
 61 | 	}
 62 | 	// The UTF-8 sequence for a codepoint is never longer than 1 + the
 63 | 	// number hex digits need to represent that codepoint, so len(s) is an
 64 | 	// upper bound on the output length.
 65 | 	b := make([]byte, 0, len(s))
 66 | 	for len(s) != 0 {
 67 | 		i := bytes.IndexByte(s, '\\')
 68 | 		if i == -1 {
 69 | 			i = len(s)
 70 | 		}
 71 | 		b, s = append(b, s[:i]...), s[i:]
 72 | 		if len(s) < 2 {
 73 | 			break
 74 | 		}
 75 | 		// http://www.w3.org/TR/css3-syntax/#SUBTOK-escape
 76 | 		// escape ::= unicode | '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF]
 77 | 		if isHex(s[1]) {
 78 | 			// http://www.w3.org/TR/css3-syntax/#SUBTOK-unicode
 79 | 			//   unicode ::= '\' [0-9a-fA-F]{1,6} wc?
 80 | 			j := 2
 81 | 			for j < len(s) && j < 7 && isHex(s[j]) {
 82 | 				j++
 83 | 			}
 84 | 			r := hexDecode(s[1:j])
 85 | 			if r > unicode.MaxRune {
 86 | 				r, j = r/16, j-1
 87 | 			}
 88 | 			n := utf8.EncodeRune(b[len(b):cap(b)], r)
 89 | 			// The optional space at the end allows a hex
 90 | 			// sequence to be followed by a literal hex.
 91 | 			// string(decodeCSS([]byte(`\A B`))) == "\nB"
 92 | 			b, s = b[:len(b)+n], skipCSSSpace(s[j:])
 93 | 		} else {
 94 | 			// `\\` decodes to `\` and `\"` to `"`.
 95 | 			_, n := utf8.DecodeRune(s[1:])
 96 | 			b, s = append(b, s[1:1+n]...), s[1+n:]
 97 | 		}
 98 | 	}
 99 | 	return b
100 | }
101 | 
102 | // isHex returns whether the given character is a hex digit.
103 | func isHex(c byte) bool {
104 | 	return '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F'
105 | }
106 | 
107 | // hexDecode decodes a short hex digit sequence: "10" -> 16.
108 | func hexDecode(s []byte) rune {
109 | 	n := '\x00'
110 | 	for _, c := range s {
111 | 		n <<= 4
112 | 		switch {
113 | 		case '0' <= c && c <= '9':
114 | 			n |= rune(c - '0')
115 | 		case 'a' <= c && c <= 'f':
116 | 			n |= rune(c-'a') + 10
117 | 		case 'A' <= c && c <= 'F':
118 | 			n |= rune(c-'A') + 10
119 | 		default:
120 | 			panic(fmt.Sprintf("Bad hex digit in %q", s))
121 | 		}
122 | 	}
123 | 	return n
124 | }
125 | 
126 | // skipCSSSpace returns a suffix of c, skipping over a single space.
127 | func skipCSSSpace(c []byte) []byte {
128 | 	if len(c) == 0 {
129 | 		return c
130 | 	}
131 | 	// wc ::= #x9 | #xA | #xC | #xD | #x20
132 | 	switch c[0] {
133 | 	case '\t', '\n', '\f', ' ':
134 | 		return c[1:]
135 | 	case '\r':
136 | 		// This differs from CSS3's wc production because it contains a
137 | 		// probable spec error whereby wc contains all the single byte
138 | 		// sequences in nl (newline) but not CRLF.
139 | 		if len(c) >= 2 && c[1] == '\n' {
140 | 			return c[2:]
141 | 		}
142 | 		return c[1:]
143 | 	}
144 | 	return c
145 | }
146 | 
147 | // isCSSSpace returns whether b is a CSS space char as defined in wc.
148 | func isCSSSpace(b byte) bool {
149 | 	switch b {
150 | 	case '\t', '\n', '\f', '\r', ' ':
151 | 		return true
152 | 	}
153 | 	return false
154 | }
155 | 
156 | // cssEscaper escapes HTML and CSS special characters using \<hex>+ escapes.
157 | func cssEscaper(args ...interface{}) string {
158 | 	s, _ := stringify(args...)
159 | 	var b bytes.Buffer
160 | 	written := 0
161 | 	for i, r := range s {
162 | 		var repl string
163 | 		switch r {
164 | 		case 0:
165 | 			repl = `\0`
166 | 		case '\t':
167 | 			repl = `\9`
168 | 		case '\n':
169 | 			repl = `\a`
170 | 		case '\f':
171 | 			repl = `\c`
172 | 		case '\r':
173 | 			repl = `\d`
174 | 		// Encode HTML specials as hex so the output can be embedded
175 | 		// in HTML attributes without further encoding.
176 | 		case '"':
177 | 			repl = `\22`
178 | 		case '&':
179 | 			repl = `\26`
180 | 		case '\'':
181 | 			repl = `\27`
182 | 		case '(':
183 | 			repl = `\28`
184 | 		case ')':
185 | 			repl = `\29`
186 | 		case '+':
187 | 			repl = `\2b`
188 | 		case '/':
189 | 			repl = `\2f`
190 | 		case ':':
191 | 			repl = `\3a`
192 | 		case ';':
193 | 			repl = `\3b`
194 | 		case '<':
195 | 			repl = `\3c`
196 | 		case '>':
197 | 			repl = `\3e`
198 | 		case '\\':
199 | 			repl = `\\`
200 | 		case '{':
201 | 			repl = `\7b`
202 | 		case '}':
203 | 			repl = `\7d`
204 | 		default:
205 | 			continue
206 | 		}
207 | 		b.WriteString(s[written:i])
208 | 		b.WriteString(repl)
209 | 		written = i + utf8.RuneLen(r)
210 | 		if repl != `\\` && (written == len(s) || isHex(s[written]) || isCSSSpace(s[written])) {
211 | 			b.WriteByte(' ')
212 | 		}
213 | 	}
214 | 	if written == 0 {
215 | 		return s
216 | 	}
217 | 	b.WriteString(s[written:])
218 | 	return b.String()
219 | }
220 | 
221 | var expressionBytes = []byte("expression")
222 | var mozBindingBytes = []byte("mozbinding")
223 | 
224 | // cssValueFilter allows innocuous CSS values in the output including CSS
225 | // quantities (10px or 25%), ID or class literals (#foo, .bar), keyword values
226 | // (inherit, blue), and colors (#888).
227 | // It filters out unsafe values, such as those that affect token boundaries,
228 | // and anything that might execute scripts.
229 | func cssValueFilter(args ...interface{}) string {
230 | 	s, t := stringify(args...)
231 | 	if t == contentTypeCSS {
232 | 		return s
233 | 	}
234 | 	b, id := decodeCSS([]byte(s)), make([]byte, 0, 64)
235 | 
236 | 	// CSS3 error handling is specified as honoring string boundaries per
237 | 	// http://www.w3.org/TR/css3-syntax/#error-handling :
238 | 	//     Malformed declarations. User agents must handle unexpected
239 | 	//     tokens encountered while parsing a declaration by reading until
240 | 	//     the end of the declaration, while observing the rules for
241 | 	//     matching pairs of (), [], {}, "", and '', and correctly handling
242 | 	//     escapes. For example, a malformed declaration may be missing a
243 | 	//     property, colon (:) or value.
244 | 	// So we need to make sure that values do not have mismatched bracket
245 | 	// or quote characters to prevent the browser from restarting parsing
246 | 	// inside a string that might embed JavaScript source.
247 | 	for i, c := range b {
248 | 		switch c {
249 | 		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
250 | 			return filterFailsafe
251 | 		case '-':
252 | 			// Disallow <!-- or -->.
253 | 			// -- should not appear in valid identifiers.
254 | 			if i != 0 && b[i-1] == '-' {
255 | 				return filterFailsafe
256 | 			}
257 | 		default:
258 | 			if c < 0x80 && isCSSNmchar(rune(c)) {
259 | 				id = append(id, c)
260 | 			}
261 | 		}
262 | 	}
263 | 	id = bytes.ToLower(id)
264 | 	if bytes.Index(id, expressionBytes) != -1 || bytes.Index(id, mozBindingBytes) != -1 {
265 | 		return filterFailsafe
266 | 	}
267 | 	return string(b)
268 | }
269 | 


--------------------------------------------------------------------------------
/v0/escape/css_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"strconv"
  9 | 	"strings"
 10 | 	"testing"
 11 | )
 12 | 
 13 | func TestEndsWithCSSKeyword(t *testing.T) {
 14 | 	tests := []struct {
 15 | 		css, kw string
 16 | 		want    bool
 17 | 	}{
 18 | 		{"", "url", false},
 19 | 		{"url", "url", true},
 20 | 		{"URL", "url", true},
 21 | 		{"Url", "url", true},
 22 | 		{"url", "important", false},
 23 | 		{"important", "important", true},
 24 | 		{"image-url", "url", false},
 25 | 		{"imageurl", "url", false},
 26 | 		{"image url", "url", true},
 27 | 	}
 28 | 	for _, test := range tests {
 29 | 		got := endsWithCSSKeyword([]byte(test.css), test.kw)
 30 | 		if got != test.want {
 31 | 			t.Errorf("want %t but got %t for css=%v, kw=%v", test.want, got, test.css, test.kw)
 32 | 		}
 33 | 	}
 34 | }
 35 | 
 36 | func TestIsCSSNmchar(t *testing.T) {
 37 | 	tests := []struct {
 38 | 		rune rune
 39 | 		want bool
 40 | 	}{
 41 | 		{0, false},
 42 | 		{'0', true},
 43 | 		{'9', true},
 44 | 		{'A', true},
 45 | 		{'Z', true},
 46 | 		{'a', true},
 47 | 		{'z', true},
 48 | 		{'_', true},
 49 | 		{'-', true},
 50 | 		{':', false},
 51 | 		{';', false},
 52 | 		{' ', false},
 53 | 		{0x7f, false},
 54 | 		{0x80, true},
 55 | 		{0x1234, true},
 56 | 		{0xd800, false},
 57 | 		{0xdc00, false},
 58 | 		{0xfffe, false},
 59 | 		{0x10000, true},
 60 | 		{0x110000, false},
 61 | 	}
 62 | 	for _, test := range tests {
 63 | 		got := isCSSNmchar(test.rune)
 64 | 		if got != test.want {
 65 | 			t.Errorf("%q: want %t but got %t", string(test.rune), test.want, got)
 66 | 		}
 67 | 	}
 68 | }
 69 | 
 70 | func TestDecodeCSS(t *testing.T) {
 71 | 	tests := []struct {
 72 | 		css, want string
 73 | 	}{
 74 | 		{``, ``},
 75 | 		{`foo`, `foo`},
 76 | 		{`foo\`, `foo`},
 77 | 		{`foo\\`, `foo\`},
 78 | 		{`\`, ``},
 79 | 		{`\A`, "\n"},
 80 | 		{`\a`, "\n"},
 81 | 		{`\0a`, "\n"},
 82 | 		{`\00000a`, "\n"},
 83 | 		{`\000000a`, "\u0000a"},
 84 | 		{`\1234 5`, "\u1234" + "5"},
 85 | 		{`\1234\20 5`, "\u1234" + " 5"},
 86 | 		{`\1234\A 5`, "\u1234" + "\n5"},
 87 | 		{"\\1234\t5", "\u1234" + "5"},
 88 | 		{"\\1234\n5", "\u1234" + "5"},
 89 | 		{"\\1234\r\n5", "\u1234" + "5"},
 90 | 		{`\12345`, "\U00012345"},
 91 | 		{`\\`, `\`},
 92 | 		{`\\ `, `\ `},
 93 | 		{`\"`, `"`},
 94 | 		{`\'`, `'`},
 95 | 		{`\.`, `.`},
 96 | 		{`\. .`, `. .`},
 97 | 		{
 98 | 			`The \3c i\3equick\3c/i\3e,\d\A\3cspan style=\27 color:brown\27\3e brown\3c/span\3e  fox jumps\2028over the \3c canine class=\22lazy\22 \3e dog\3c/canine\3e`,
 99 | 			"The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>",
100 | 		},
101 | 	}
102 | 	for _, test := range tests {
103 | 		got1 := string(decodeCSS([]byte(test.css)))
104 | 		if got1 != test.want {
105 | 			t.Errorf("%q: want\n\t%q\nbut got\n\t%q", test.css, test.want, got1)
106 | 		}
107 | 		recoded := cssEscaper(got1)
108 | 		if got2 := string(decodeCSS([]byte(recoded))); got2 != test.want {
109 | 			t.Errorf("%q: escape & decode not dual for %q", test.css, recoded)
110 | 		}
111 | 	}
112 | }
113 | 
114 | func TestHexDecode(t *testing.T) {
115 | 	for i := 0; i < 0x200000; i += 101 /* coprime with 16 */ {
116 | 		s := strconv.FormatInt(int64(i), 16)
117 | 		if got := int(hexDecode([]byte(s))); got != i {
118 | 			t.Errorf("%s: want %d but got %d", s, i, got)
119 | 		}
120 | 		s = strings.ToUpper(s)
121 | 		if got := int(hexDecode([]byte(s))); got != i {
122 | 			t.Errorf("%s: want %d but got %d", s, i, got)
123 | 		}
124 | 	}
125 | }
126 | 
127 | func TestSkipCSSSpace(t *testing.T) {
128 | 	tests := []struct {
129 | 		css, want string
130 | 	}{
131 | 		{"", ""},
132 | 		{"foo", "foo"},
133 | 		{"\n", ""},
134 | 		{"\r\n", ""},
135 | 		{"\r", ""},
136 | 		{"\t", ""},
137 | 		{" ", ""},
138 | 		{"\f", ""},
139 | 		{" foo", "foo"},
140 | 		{"  foo", " foo"},
141 | 		{`\20`, `\20`},
142 | 	}
143 | 	for _, test := range tests {
144 | 		got := string(skipCSSSpace([]byte(test.css)))
145 | 		if got != test.want {
146 | 			t.Errorf("%q: want %q but got %q", test.css, test.want, got)
147 | 		}
148 | 	}
149 | }
150 | 
151 | func TestCSSEscaper(t *testing.T) {
152 | 	input := ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
153 | 		"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
154 | 		` !"#$%&'()*+,-./` +
155 | 		`0123456789:;<=>?` +
156 | 		`@ABCDEFGHIJKLMNO` +
157 | 		`PQRSTUVWXYZ[\]^_` +
158 | 		"`abcdefghijklmno" +
159 | 		"pqrstuvwxyz{|}~\x7f" +
160 | 		"\u00A0\u0100\u2028\u2029\ufeff\U0001D11E")
161 | 
162 | 	want := ("\\0\x01\x02\x03\x04\x05\x06\x07" +
163 | 		"\x08\\9 \\a\x0b\\c \\d\x0E\x0F" +
164 | 		"\x10\x11\x12\x13\x14\x15\x16\x17" +
165 | 		"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
166 | 		` !\22#$%\26\27\28\29*\2b,-.\2f ` +
167 | 		`0123456789\3a\3b\3c=\3e?` +
168 | 		`@ABCDEFGHIJKLMNO` +
169 | 		`PQRSTUVWXYZ[\\]^_` +
170 | 		"`abcdefghijklmno" +
171 | 		`pqrstuvwxyz\7b|\7d~` + "\u007f" +
172 | 		"\u00A0\u0100\u2028\u2029\ufeff\U0001D11E")
173 | 
174 | 	got := cssEscaper(input)
175 | 	if got != want {
176 | 		t.Errorf("encode: want\n\t%q\nbut got\n\t%q", want, got)
177 | 	}
178 | 
179 | 	got = string(decodeCSS([]byte(got)))
180 | 	if input != got {
181 | 		t.Errorf("decode: want\n\t%q\nbut got\n\t%q", input, got)
182 | 	}
183 | }
184 | 
185 | func TestCSSValueFilter(t *testing.T) {
186 | 	tests := []struct {
187 | 		css, want string
188 | 	}{
189 | 		{"", ""},
190 | 		{"foo", "foo"},
191 | 		{"0", "0"},
192 | 		{"0px", "0px"},
193 | 		{"-5px", "-5px"},
194 | 		{"1.25in", "1.25in"},
195 | 		{"+.33em", "+.33em"},
196 | 		{"100%", "100%"},
197 | 		{"12.5%", "12.5%"},
198 | 		{".foo", ".foo"},
199 | 		{"#bar", "#bar"},
200 | 		{"corner-radius", "corner-radius"},
201 | 		{"-moz-corner-radius", "-moz-corner-radius"},
202 | 		{"#000", "#000"},
203 | 		{"#48f", "#48f"},
204 | 		{"#123456", "#123456"},
205 | 		{"U+00-FF, U+980-9FF", "U+00-FF, U+980-9FF"},
206 | 		{"color: red", "color: red"},
207 | 		{"<!--", "ZgotmplZ"},
208 | 		{"-->", "ZgotmplZ"},
209 | 		{"<![CDATA[", "ZgotmplZ"},
210 | 		{"]]>", "ZgotmplZ"},
211 | 		{"</style", "ZgotmplZ"},
212 | 		{`"`, "ZgotmplZ"},
213 | 		{`'`, "ZgotmplZ"},
214 | 		{"`", "ZgotmplZ"},
215 | 		{"\x00", "ZgotmplZ"},
216 | 		{"/* foo */", "ZgotmplZ"},
217 | 		{"//", "ZgotmplZ"},
218 | 		{"[href=~", "ZgotmplZ"},
219 | 		{"expression(alert(1337))", "ZgotmplZ"},
220 | 		{"-expression(alert(1337))", "ZgotmplZ"},
221 | 		{"expression", "ZgotmplZ"},
222 | 		{"Expression", "ZgotmplZ"},
223 | 		{"EXPRESSION", "ZgotmplZ"},
224 | 		{"-moz-binding", "ZgotmplZ"},
225 | 		{"-expr\x00ession(alert(1337))", "ZgotmplZ"},
226 | 		{`-expr\0ession(alert(1337))`, "ZgotmplZ"},
227 | 		{`-express\69on(alert(1337))`, "ZgotmplZ"},
228 | 		{`-express\69 on(alert(1337))`, "ZgotmplZ"},
229 | 		{`-exp\72 ession(alert(1337))`, "ZgotmplZ"},
230 | 		{`-exp\52 ession(alert(1337))`, "ZgotmplZ"},
231 | 		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
232 | 		{`-expre\0000073sion`, "-expre\x073sion"},
233 | 		{`@import url evil.css`, "ZgotmplZ"},
234 | 	}
235 | 	for _, test := range tests {
236 | 		got := cssValueFilter(test.css)
237 | 		if got != test.want {
238 | 			t.Errorf("%q: want %q but got %q", test.css, test.want, got)
239 | 		}
240 | 	}
241 | }
242 | 
243 | func BenchmarkCSSEscaper(b *testing.B) {
244 | 	for i := 0; i < b.N; i++ {
245 | 		cssEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
246 | 	}
247 | }
248 | 
249 | func BenchmarkCSSEscaperNoSpecials(b *testing.B) {
250 | 	for i := 0; i < b.N; i++ {
251 | 		cssEscaper("The quick, brown fox jumps over the lazy dog.")
252 | 	}
253 | }
254 | 
255 | func BenchmarkDecodeCSS(b *testing.B) {
256 | 	s := []byte(`The \3c i\3equick\3c/i\3e,\d\A\3cspan style=\27 color:brown\27\3e brown\3c/span\3e fox jumps\2028over the \3c canine class=\22lazy\22 \3edog\3c/canine\3e`)
257 | 	b.ResetTimer()
258 | 	for i := 0; i < b.N; i++ {
259 | 		decodeCSS(s)
260 | 	}
261 | }
262 | 
263 | func BenchmarkDecodeCSSNoSpecials(b *testing.B) {
264 | 	s := []byte("The quick, brown fox jumps over the lazy dog.")
265 | 	b.ResetTimer()
266 | 	for i := 0; i < b.N; i++ {
267 | 		decodeCSS(s)
268 | 	}
269 | }
270 | 
271 | func BenchmarkCSSValueFilter(b *testing.B) {
272 | 	for i := 0; i < b.N; i++ {
273 | 		cssValueFilter(`  e\78preS\0Sio/**/n(alert(1337))`)
274 | 	}
275 | }
276 | 
277 | func BenchmarkCSSValueFilterOk(b *testing.B) {
278 | 	for i := 0; i < b.N; i++ {
279 | 		cssValueFilter(`Times New Roman`)
280 | 	}
281 | }
282 | 


--------------------------------------------------------------------------------
/v0/escape/error.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | )
 10 | 
 11 | // Error describes a problem encountered during template Escaping.
 12 | type Error struct {
 13 | 	// ErrorCode describes the kind of error.
 14 | 	ErrorCode ErrorCode
 15 | 	// Name is the name of the template in which the error was encountered.
 16 | 	Name string
 17 | 	// Line is the line number of the error in the template source or 0.
 18 | 	Line int
 19 | 	// Description is a human-readable description of the problem.
 20 | 	Description string
 21 | }
 22 | 
 23 | // ErrorCode is a code for a kind of error.
 24 | type ErrorCode int
 25 | 
 26 | // We define codes for each error that manifests while escaping templates, but
 27 | // escaped templates may also fail at runtime.
 28 | //
 29 | // Output: "ZgotmplZ"
 30 | // Example:
 31 | //   <img src="{{.X}}">
 32 | //   where {{.X}} evaluates to `javascript:...`
 33 | // Discussion:
 34 | //   "ZgotmplZ" is a special value that indicates that unsafe content reached a
 35 | //   CSS or URL context at runtime. The output of the example will be
 36 | //     <img src="#ZgotmplZ">
 37 | //   If the data comes from a trusted source, use content types to exempt it
 38 | //   from filtering: URL(`javascript:...`).
 39 | const (
 40 | 	// OK indicates the lack of an error.
 41 | 	OK ErrorCode = iota
 42 | 
 43 | 	// ErrAmbigContext: "... appears in an ambiguous URL context"
 44 | 	// Example:
 45 | 	//   <a href="
 46 | 	//      {{if .C}}
 47 | 	//        /path/
 48 | 	//      {{else}}
 49 | 	//        /search?q=
 50 | 	//      {{end}}
 51 | 	//      {{.X}}
 52 | 	//   ">
 53 | 	// Discussion:
 54 | 	//   {{.X}} is in an ambiguous URL context since, depending on {{.C}},
 55 | 	//  it may be either a URL suffix or a query parameter.
 56 | 	//   Moving {{.X}} into the condition removes the ambiguity:
 57 | 	//   <a href="{{if .C}}/path/{{.X}}{{else}}/search?q={{.X}}">
 58 | 	ErrAmbigContext
 59 | 
 60 | 	// ErrBadHTML: "expected space, attr name, or end of tag, but got ...",
 61 | 	//   "... in unquoted attr", "... in attribute name"
 62 | 	// Example:
 63 | 	//   <a href = /search?q=foo>
 64 | 	//   <href=foo>
 65 | 	//   <form na<e=...>
 66 | 	//   <option selected<
 67 | 	// Discussion:
 68 | 	//   This is often due to a typo in an HTML element, but some runes
 69 | 	//   are banned in tag names, attribute names, and unquoted attribute
 70 | 	//   values because they can tickle parser ambiguities.
 71 | 	//   Quoting all attributes is the best policy.
 72 | 	ErrBadHTML
 73 | 
 74 | 	// ErrBranchEnd: "{{if}} branches end in different contexts"
 75 | 	// Example:
 76 | 	//   {{if .C}}<a href="{{end}}{{.X}}
 77 | 	// Discussion:
 78 | 	//   Package html/template statically examines each path through an
 79 | 	//   {{if}}, {{range}}, or {{with}} to escape any following pipelines.
 80 | 	//   The example is ambiguous since {{.X}} might be an HTML text node,
 81 | 	//   or a URL prefix in an HTML attribute. The context of {{.X}} is
 82 | 	//   used to figure out how to escape it, but that context depends on
 83 | 	//   the run-time value of {{.C}} which is not statically known.
 84 | 	//
 85 | 	//   The problem is usually something like missing quotes or angle
 86 | 	//   brackets, or can be avoided by refactoring to put the two contexts
 87 | 	//   into different branches of an if, range or with. If the problem
 88 | 	//   is in a {{range}} over a collection that should never be empty,
 89 | 	//   adding a dummy {{else}} can help.
 90 | 	ErrBranchEnd
 91 | 
 92 | 	// ErrEndContext: "... ends in a non-text context: ..."
 93 | 	// Examples:
 94 | 	//   <div
 95 | 	//   <div title="no close quote>
 96 | 	//   <script>f()
 97 | 	// Discussion:
 98 | 	//   Executed templates should produce a DocumentFragment of HTML.
 99 | 	//   Templates that end without closing tags will trigger this error.
100 | 	//   Templates that should not be used in an HTML context or that
101 | 	//   produce incomplete Fragments should not be executed directly.
102 | 	//
103 | 	//   {{define "main"}} <script>{{template "helper"}}</script> {{end}}
104 | 	//   {{define "helper"}} document.write(' <div title=" ') {{end}}
105 | 	//
106 | 	//   "helper" does not produce a valid document fragment, so should
107 | 	//   not be Executed directly.
108 | 	ErrEndContext
109 | 
110 | 	// ErrNoSuchTemplate: "no such template ..."
111 | 	// Examples:
112 | 	//   {{define "main"}}<div {{template "attrs"}}>{{end}}
113 | 	//   {{define "attrs"}}href="{{.URL}}"{{end}}
114 | 	// Discussion:
115 | 	//   Package html/template looks through template calls to compute the
116 | 	//   context.
117 | 	//   Here the {{.URL}} in "attrs" must be treated as a URL when called
118 | 	//   from "main", but you will get this error if "attrs" is not defined
119 | 	//   when "main" is parsed.
120 | 	ErrNoSuchTemplate
121 | 
122 | 	// ErrOutputContext: "cannot compute output context for template ..."
123 | 	// Examples:
124 | 	//   {{define "t"}}{{if .T}}{{template "t" .T}}{{end}}{{.H}}",{{end}}
125 | 	// Discussion:
126 | 	//   A recursive template does not end in the same context in which it
127 | 	//   starts, and a reliable output context cannot be computed.
128 | 	//   Look for typos in the named template.
129 | 	//   If the template should not be called in the named start context,
130 | 	//   look for calls to that template in unexpected contexts.
131 | 	//   Maybe refactor recursive templates to not be recursive.
132 | 	ErrOutputContext
133 | 
134 | 	// ErrPartialCharset: "unfinished JS regexp charset in ..."
135 | 	// Example:
136 | 	//     <script>var pattern = /foo[{{.Chars}}]/</script>
137 | 	// Discussion:
138 | 	//   Package html/template does not support interpolation into regular
139 | 	//   expression literal character sets.
140 | 	ErrPartialCharset
141 | 
142 | 	// ErrPartialEscape: "unfinished escape sequence in ..."
143 | 	// Example:
144 | 	//   <script>alert("\{{.X}}")</script>
145 | 	// Discussion:
146 | 	//   Package html/template does not support actions following a
147 | 	//   backslash.
148 | 	//   This is usually an error and there are better solutions; for
149 | 	//   example
150 | 	//     <script>alert("{{.X}}")</script>
151 | 	//   should work, and if {{.X}} is a partial escape sequence such as
152 | 	//   "xA0", mark the whole sequence as safe content: JSStr(`\xA0`)
153 | 	ErrPartialEscape
154 | 
155 | 	// ErrRangeLoopReentry: "on range loop re-entry: ..."
156 | 	// Example:
157 | 	//   <script>var x = [{{range .}}'{{.}},{{end}}]</script>
158 | 	// Discussion:
159 | 	//   If an iteration through a range would cause it to end in a
160 | 	//   different context than an earlier pass, there is no single context.
161 | 	//   In the example, there is missing a quote, so it is not clear
162 | 	//   whether {{.}} is meant to be inside a JS string or in a JS value
163 | 	//   context.  The second iteration would produce something like
164 | 	//
165 | 	//     <script>var x = ['firstValue,'secondValue]</script>
166 | 	ErrRangeLoopReentry
167 | 
168 | 	// ErrSlashAmbig: '/' could start a division or regexp.
169 | 	// Example:
170 | 	//   <script>
171 | 	//     {{if .C}}var x = 1{{end}}
172 | 	//     /-{{.N}}/i.test(x) ? doThis : doThat();
173 | 	//   </script>
174 | 	// Discussion:
175 | 	//   The example above could produce `var x = 1/-2/i.test(s)...`
176 | 	//   in which the first '/' is a mathematical division operator or it
177 | 	//   could produce `/-2/i.test(s)` in which the first '/' starts a
178 | 	//   regexp literal.
179 | 	//   Look for missing semicolons inside branches, and maybe add
180 | 	//   parentheses to make it clear which interpretation you intend.
181 | 	ErrSlashAmbig
182 | )
183 | 
184 | func (e *Error) Error() string {
185 | 	if e.Line != 0 {
186 | 		return fmt.Sprintf("html/template:%s:%d: %s", e.Name, e.Line, e.Description)
187 | 	} else if e.Name != "" {
188 | 		return fmt.Sprintf("html/template:%s: %s", e.Name, e.Description)
189 | 	}
190 | 	return "html/template: " + e.Description
191 | }
192 | 
193 | // errorf creates an error given a format string f and args.
194 | // The template Name still needs to be supplied.
195 | func errorf(k ErrorCode, line int, f string, args ...interface{}) *Error {
196 | 	return &Error{k, "", line, fmt.Sprintf(f, args...)}
197 | }
198 | 


--------------------------------------------------------------------------------
/v0/escape/escape_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"testing"
  9 | 
 10 | 	"github.com/gorilla/template/v0/parse"
 11 | )
 12 | 
 13 | func TestEscapeText(t *testing.T) {
 14 | 	tests := []struct {
 15 | 		input  string
 16 | 		output context
 17 | 	}{
 18 | 		{
 19 | 			``,
 20 | 			context{},
 21 | 		},
 22 | 		{
 23 | 			`Hello, World!`,
 24 | 			context{},
 25 | 		},
 26 | 		{
 27 | 			// An orphaned "<" is OK.
 28 | 			`I <3 Ponies!`,
 29 | 			context{},
 30 | 		},
 31 | 		{
 32 | 			`<a`,
 33 | 			context{state: stateTag},
 34 | 		},
 35 | 		{
 36 | 			`<a `,
 37 | 			context{state: stateTag},
 38 | 		},
 39 | 		{
 40 | 			`<a>`,
 41 | 			context{state: stateText},
 42 | 		},
 43 | 		{
 44 | 			`<a href`,
 45 | 			context{state: stateAttrName, attr: attrURL},
 46 | 		},
 47 | 		{
 48 | 			`<a on`,
 49 | 			context{state: stateAttrName, attr: attrScript},
 50 | 		},
 51 | 		{
 52 | 			`<a href `,
 53 | 			context{state: stateAfterName, attr: attrURL},
 54 | 		},
 55 | 		{
 56 | 			`<a style  =  `,
 57 | 			context{state: stateBeforeValue, attr: attrStyle},
 58 | 		},
 59 | 		{
 60 | 			`<a href=`,
 61 | 			context{state: stateBeforeValue, attr: attrURL},
 62 | 		},
 63 | 		{
 64 | 			`<a href=x`,
 65 | 			context{state: stateURL, delim: delimSpaceOrTagEnd, urlPart: urlPartPreQuery},
 66 | 		},
 67 | 		{
 68 | 			`<a href=x `,
 69 | 			context{state: stateTag},
 70 | 		},
 71 | 		{
 72 | 			`<a href=>`,
 73 | 			context{state: stateText},
 74 | 		},
 75 | 		{
 76 | 			`<a href=x>`,
 77 | 			context{state: stateText},
 78 | 		},
 79 | 		{
 80 | 			`<a href ='`,
 81 | 			context{state: stateURL, delim: delimSingleQuote},
 82 | 		},
 83 | 		{
 84 | 			`<a href=''`,
 85 | 			context{state: stateTag},
 86 | 		},
 87 | 		{
 88 | 			`<a href= "`,
 89 | 			context{state: stateURL, delim: delimDoubleQuote},
 90 | 		},
 91 | 		{
 92 | 			`<a href=""`,
 93 | 			context{state: stateTag},
 94 | 		},
 95 | 		{
 96 | 			`<a title="`,
 97 | 			context{state: stateAttr, delim: delimDoubleQuote},
 98 | 		},
 99 | 		{
100 | 			`<a HREF='http:`,
101 | 			context{state: stateURL, delim: delimSingleQuote, urlPart: urlPartPreQuery},
102 | 		},
103 | 		{
104 | 			`<a Href='/`,
105 | 			context{state: stateURL, delim: delimSingleQuote, urlPart: urlPartPreQuery},
106 | 		},
107 | 		{
108 | 			`<a href='"`,
109 | 			context{state: stateURL, delim: delimSingleQuote, urlPart: urlPartPreQuery},
110 | 		},
111 | 		{
112 | 			`<a href="'`,
113 | 			context{state: stateURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
114 | 		},
115 | 		{
116 | 			`<a href='&apos;`,
117 | 			context{state: stateURL, delim: delimSingleQuote, urlPart: urlPartPreQuery},
118 | 		},
119 | 		{
120 | 			`<a href="&quot;`,
121 | 			context{state: stateURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
122 | 		},
123 | 		{
124 | 			`<a href="&#34;`,
125 | 			context{state: stateURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
126 | 		},
127 | 		{
128 | 			`<a href=&quot;`,
129 | 			context{state: stateURL, delim: delimSpaceOrTagEnd, urlPart: urlPartPreQuery},
130 | 		},
131 | 		{
132 | 			`<img alt="1">`,
133 | 			context{state: stateText},
134 | 		},
135 | 		{
136 | 			`<img alt="1>"`,
137 | 			context{state: stateTag},
138 | 		},
139 | 		{
140 | 			`<img alt="1>">`,
141 | 			context{state: stateText},
142 | 		},
143 | 		{
144 | 			`<input checked type="checkbox"`,
145 | 			context{state: stateTag},
146 | 		},
147 | 		{
148 | 			`<a onclick="`,
149 | 			context{state: stateJS, delim: delimDoubleQuote},
150 | 		},
151 | 		{
152 | 			`<a onclick="//foo`,
153 | 			context{state: stateJSLineCmt, delim: delimDoubleQuote},
154 | 		},
155 | 		{
156 | 			"<a onclick='//\n",
157 | 			context{state: stateJS, delim: delimSingleQuote},
158 | 		},
159 | 		{
160 | 			"<a onclick='//\r\n",
161 | 			context{state: stateJS, delim: delimSingleQuote},
162 | 		},
163 | 		{
164 | 			"<a onclick='//\u2028",
165 | 			context{state: stateJS, delim: delimSingleQuote},
166 | 		},
167 | 		{
168 | 			`<a onclick="/*`,
169 | 			context{state: stateJSBlockCmt, delim: delimDoubleQuote},
170 | 		},
171 | 		{
172 | 			`<a onclick="/*/`,
173 | 			context{state: stateJSBlockCmt, delim: delimDoubleQuote},
174 | 		},
175 | 		{
176 | 			`<a onclick="/**/`,
177 | 			context{state: stateJS, delim: delimDoubleQuote},
178 | 		},
179 | 		{
180 | 			`<a onkeypress="&quot;`,
181 | 			context{state: stateJSDqStr, delim: delimDoubleQuote},
182 | 		},
183 | 		{
184 | 			`<a onclick='&quot;foo&quot;`,
185 | 			context{state: stateJS, delim: delimSingleQuote, jsCtx: jsCtxDivOp},
186 | 		},
187 | 		{
188 | 			`<a onclick=&#39;foo&#39;`,
189 | 			context{state: stateJS, delim: delimSpaceOrTagEnd, jsCtx: jsCtxDivOp},
190 | 		},
191 | 		{
192 | 			`<a onclick=&#39;foo`,
193 | 			context{state: stateJSSqStr, delim: delimSpaceOrTagEnd},
194 | 		},
195 | 		{
196 | 			`<a onclick="&quot;foo'`,
197 | 			context{state: stateJSDqStr, delim: delimDoubleQuote},
198 | 		},
199 | 		{
200 | 			`<a onclick="'foo&quot;`,
201 | 			context{state: stateJSSqStr, delim: delimDoubleQuote},
202 | 		},
203 | 		{
204 | 			`<A ONCLICK="'`,
205 | 			context{state: stateJSSqStr, delim: delimDoubleQuote},
206 | 		},
207 | 		{
208 | 			`<a onclick="/`,
209 | 			context{state: stateJSRegexp, delim: delimDoubleQuote},
210 | 		},
211 | 		{
212 | 			`<a onclick="'foo'`,
213 | 			context{state: stateJS, delim: delimDoubleQuote, jsCtx: jsCtxDivOp},
214 | 		},
215 | 		{
216 | 			`<a onclick="'foo\'`,
217 | 			context{state: stateJSSqStr, delim: delimDoubleQuote},
218 | 		},
219 | 		{
220 | 			`<a onclick="'foo\'`,
221 | 			context{state: stateJSSqStr, delim: delimDoubleQuote},
222 | 		},
223 | 		{
224 | 			`<a onclick="/foo/`,
225 | 			context{state: stateJS, delim: delimDoubleQuote, jsCtx: jsCtxDivOp},
226 | 		},
227 | 		{
228 | 			`<script>/foo/ /=`,
229 | 			context{state: stateJS, element: elementScript},
230 | 		},
231 | 		{
232 | 			`<a onclick="1 /foo`,
233 | 			context{state: stateJS, delim: delimDoubleQuote, jsCtx: jsCtxDivOp},
234 | 		},
235 | 		{
236 | 			`<a onclick="1 /*c*/ /foo`,
237 | 			context{state: stateJS, delim: delimDoubleQuote, jsCtx: jsCtxDivOp},
238 | 		},
239 | 		{
240 | 			`<a onclick="/foo[/]`,
241 | 			context{state: stateJSRegexp, delim: delimDoubleQuote},
242 | 		},
243 | 		{
244 | 			`<a onclick="/foo\/`,
245 | 			context{state: stateJSRegexp, delim: delimDoubleQuote},
246 | 		},
247 | 		{
248 | 			`<a onclick="/foo/`,
249 | 			context{state: stateJS, delim: delimDoubleQuote, jsCtx: jsCtxDivOp},
250 | 		},
251 | 		{
252 | 			`<input checked style="`,
253 | 			context{state: stateCSS, delim: delimDoubleQuote},
254 | 		},
255 | 		{
256 | 			`<a style="//`,
257 | 			context{state: stateCSSLineCmt, delim: delimDoubleQuote},
258 | 		},
259 | 		{
260 | 			`<a style="//</script>`,
261 | 			context{state: stateCSSLineCmt, delim: delimDoubleQuote},
262 | 		},
263 | 		{
264 | 			"<a style='//\n",
265 | 			context{state: stateCSS, delim: delimSingleQuote},
266 | 		},
267 | 		{
268 | 			"<a style='//\r",
269 | 			context{state: stateCSS, delim: delimSingleQuote},
270 | 		},
271 | 		{
272 | 			`<a style="/*`,
273 | 			context{state: stateCSSBlockCmt, delim: delimDoubleQuote},
274 | 		},
275 | 		{
276 | 			`<a style="/*/`,
277 | 			context{state: stateCSSBlockCmt, delim: delimDoubleQuote},
278 | 		},
279 | 		{
280 | 			`<a style="/**/`,
281 | 			context{state: stateCSS, delim: delimDoubleQuote},
282 | 		},
283 | 		{
284 | 			`<a style="background: '`,
285 | 			context{state: stateCSSSqStr, delim: delimDoubleQuote},
286 | 		},
287 | 		{
288 | 			`<a style="background: &quot;`,
289 | 			context{state: stateCSSDqStr, delim: delimDoubleQuote},
290 | 		},
291 | 		{
292 | 			`<a style="background: '/foo?img=`,
293 | 			context{state: stateCSSSqStr, delim: delimDoubleQuote, urlPart: urlPartQueryOrFrag},
294 | 		},
295 | 		{
296 | 			`<a style="background: '/`,
297 | 			context{state: stateCSSSqStr, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
298 | 		},
299 | 		{
300 | 			`<a style="background: url(&#x22;/`,
301 | 			context{state: stateCSSDqURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
302 | 		},
303 | 		{
304 | 			`<a style="background: url('/`,
305 | 			context{state: stateCSSSqURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
306 | 		},
307 | 		{
308 | 			`<a style="background: url('/)`,
309 | 			context{state: stateCSSSqURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
310 | 		},
311 | 		{
312 | 			`<a style="background: url('/ `,
313 | 			context{state: stateCSSSqURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
314 | 		},
315 | 		{
316 | 			`<a style="background: url(/`,
317 | 			context{state: stateCSSURL, delim: delimDoubleQuote, urlPart: urlPartPreQuery},
318 | 		},
319 | 		{
320 | 			`<a style="background: url( `,
321 | 			context{state: stateCSSURL, delim: delimDoubleQuote},
322 | 		},
323 | 		{
324 | 			`<a style="background: url( /image?name=`,
325 | 			context{state: stateCSSURL, delim: delimDoubleQuote, urlPart: urlPartQueryOrFrag},
326 | 		},
327 | 		{
328 | 			`<a style="background: url(x)`,
329 | 			context{state: stateCSS, delim: delimDoubleQuote},
330 | 		},
331 | 		{
332 | 			`<a style="background: url('x'`,
333 | 			context{state: stateCSS, delim: delimDoubleQuote},
334 | 		},
335 | 		{
336 | 			`<a style="background: url( x `,
337 | 			context{state: stateCSS, delim: delimDoubleQuote},
338 | 		},
339 | 		{
340 | 			`<!-- foo`,
341 | 			context{state: stateHTMLCmt},
342 | 		},
343 | 		{
344 | 			`<!-->`,
345 | 			context{state: stateHTMLCmt},
346 | 		},
347 | 		{
348 | 			`<!--->`,
349 | 			context{state: stateHTMLCmt},
350 | 		},
351 | 		{
352 | 			`<!-- foo -->`,
353 | 			context{state: stateText},
354 | 		},
355 | 		{
356 | 			`<script`,
357 | 			context{state: stateTag, element: elementScript},
358 | 		},
359 | 		{
360 | 			`<script `,
361 | 			context{state: stateTag, element: elementScript},
362 | 		},
363 | 		{
364 | 			`<script src="foo.js" `,
365 | 			context{state: stateTag, element: elementScript},
366 | 		},
367 | 		{
368 | 			`<script src='foo.js' `,
369 | 			context{state: stateTag, element: elementScript},
370 | 		},
371 | 		{
372 | 			`<script type=text/javascript `,
373 | 			context{state: stateTag, element: elementScript},
374 | 		},
375 | 		{
376 | 			`<script>foo`,
377 | 			context{state: stateJS, jsCtx: jsCtxDivOp, element: elementScript},
378 | 		},
379 | 		{
380 | 			`<script>foo</script>`,
381 | 			context{state: stateText},
382 | 		},
383 | 		{
384 | 			`<script>foo</script><!--`,
385 | 			context{state: stateHTMLCmt},
386 | 		},
387 | 		{
388 | 			`<script>document.write("<p>foo</p>");`,
389 | 			context{state: stateJS, element: elementScript},
390 | 		},
391 | 		{
392 | 			`<script>document.write("<p>foo<\/script>");`,
393 | 			context{state: stateJS, element: elementScript},
394 | 		},
395 | 		{
396 | 			`<script>document.write("<script>alert(1)</script>");`,
397 | 			context{state: stateText},
398 | 		},
399 | 		{
400 | 			`<Script>`,
401 | 			context{state: stateJS, element: elementScript},
402 | 		},
403 | 		{
404 | 			`<SCRIPT>foo`,
405 | 			context{state: stateJS, jsCtx: jsCtxDivOp, element: elementScript},
406 | 		},
407 | 		{
408 | 			`<textarea>value`,
409 | 			context{state: stateRCDATA, element: elementTextarea},
410 | 		},
411 | 		{
412 | 			`<textarea>value</TEXTAREA>`,
413 | 			context{state: stateText},
414 | 		},
415 | 		{
416 | 			`<textarea name=html><b`,
417 | 			context{state: stateRCDATA, element: elementTextarea},
418 | 		},
419 | 		{
420 | 			`<title>value`,
421 | 			context{state: stateRCDATA, element: elementTitle},
422 | 		},
423 | 		{
424 | 			`<style>value`,
425 | 			context{state: stateCSS, element: elementStyle},
426 | 		},
427 | 		{
428 | 			`<a xlink:href`,
429 | 			context{state: stateAttrName, attr: attrURL},
430 | 		},
431 | 		{
432 | 			`<a xmlns`,
433 | 			context{state: stateAttrName, attr: attrURL},
434 | 		},
435 | 		{
436 | 			`<a xmlns:foo`,
437 | 			context{state: stateAttrName, attr: attrURL},
438 | 		},
439 | 		{
440 | 			`<a xmlnsxyz`,
441 | 			context{state: stateAttrName},
442 | 		},
443 | 		{
444 | 			`<a data-url`,
445 | 			context{state: stateAttrName, attr: attrURL},
446 | 		},
447 | 		{
448 | 			`<a data-iconUri`,
449 | 			context{state: stateAttrName, attr: attrURL},
450 | 		},
451 | 		{
452 | 			`<a data-urlItem`,
453 | 			context{state: stateAttrName, attr: attrURL},
454 | 		},
455 | 		{
456 | 			`<a g:`,
457 | 			context{state: stateAttrName},
458 | 		},
459 | 		{
460 | 			`<a g:url`,
461 | 			context{state: stateAttrName, attr: attrURL},
462 | 		},
463 | 		{
464 | 			`<a g:iconUri`,
465 | 			context{state: stateAttrName, attr: attrURL},
466 | 		},
467 | 		{
468 | 			`<a g:urlItem`,
469 | 			context{state: stateAttrName, attr: attrURL},
470 | 		},
471 | 		{
472 | 			`<a g:value`,
473 | 			context{state: stateAttrName},
474 | 		},
475 | 		{
476 | 			`<a svg:style='`,
477 | 			context{state: stateCSS, delim: delimSingleQuote},
478 | 		},
479 | 		{
480 | 			`<svg:font-face`,
481 | 			context{state: stateTag},
482 | 		},
483 | 		{
484 | 			`<svg:a svg:onclick="`,
485 | 			context{state: stateJS, delim: delimDoubleQuote},
486 | 		},
487 | 	}
488 | 
489 | 	for _, test := range tests {
490 | 		b, e := []byte(test.input), newEscaper(nil)
491 | 		c := e.escapeText(context{}, &parse.TextNode{NodeType: parse.NodeText, Text: b})
492 | 		if !test.output.eq(c) {
493 | 			t.Errorf("input %q: want context\n\t%v\ngot\n\t%v", test.input, test.output, c)
494 | 			continue
495 | 		}
496 | 		if test.input != string(b) {
497 | 			t.Errorf("input %q: text node was modified: want %q got %q", test.input, test.input, b)
498 | 			continue
499 | 		}
500 | 	}
501 | }
502 | 


--------------------------------------------------------------------------------
/v0/escape/funcs.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"fmt"
 10 | 	"io"
 11 | 	"net/url"
 12 | 	"strings"
 13 | 	"unicode"
 14 | 	"unicode/utf8"
 15 | )
 16 | 
 17 | // HTML escaping.
 18 | 
 19 | var (
 20 | 	htmlQuot = []byte("&#34;") // shorter than "&quot;"
 21 | 	htmlApos = []byte("&#39;") // shorter than "&apos;" and apos was not in HTML until HTML5
 22 | 	htmlAmp  = []byte("&amp;")
 23 | 	htmlLt   = []byte("&lt;")
 24 | 	htmlGt   = []byte("&gt;")
 25 | )
 26 | 
 27 | // HTMLEscape writes to w the escaped HTML equivalent of the plain text data b.
 28 | func HTMLEscape(w io.Writer, b []byte) {
 29 | 	last := 0
 30 | 	for i, c := range b {
 31 | 		var html []byte
 32 | 		switch c {
 33 | 		case '"':
 34 | 			html = htmlQuot
 35 | 		case '\'':
 36 | 			html = htmlApos
 37 | 		case '&':
 38 | 			html = htmlAmp
 39 | 		case '<':
 40 | 			html = htmlLt
 41 | 		case '>':
 42 | 			html = htmlGt
 43 | 		default:
 44 | 			continue
 45 | 		}
 46 | 		w.Write(b[last:i])
 47 | 		w.Write(html)
 48 | 		last = i + 1
 49 | 	}
 50 | 	w.Write(b[last:])
 51 | }
 52 | 
 53 | // HTMLEscapeString returns the escaped HTML equivalent of the plain text data s.
 54 | func HTMLEscapeString(s string) string {
 55 | 	// Avoid allocation if we can.
 56 | 	if strings.IndexAny(s, `'"&<>`) < 0 {
 57 | 		return s
 58 | 	}
 59 | 	var b bytes.Buffer
 60 | 	HTMLEscape(&b, []byte(s))
 61 | 	return b.String()
 62 | }
 63 | 
 64 | // JavaScript escaping.
 65 | 
 66 | var (
 67 | 	jsLowUni = []byte(`\u00`)
 68 | 	hex      = []byte("0123456789ABCDEF")
 69 | 
 70 | 	jsBackslash = []byte(`\\`)
 71 | 	jsApos      = []byte(`\'`)
 72 | 	jsQuot      = []byte(`\"`)
 73 | 	jsLt        = []byte(`\x3C`)
 74 | 	jsGt        = []byte(`\x3E`)
 75 | )
 76 | 
 77 | // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
 78 | func JSEscape(w io.Writer, b []byte) {
 79 | 	last := 0
 80 | 	for i := 0; i < len(b); i++ {
 81 | 		c := b[i]
 82 | 
 83 | 		if !jsIsSpecial(rune(c)) {
 84 | 			// fast path: nothing to do
 85 | 			continue
 86 | 		}
 87 | 		w.Write(b[last:i])
 88 | 
 89 | 		if c < utf8.RuneSelf {
 90 | 			// Quotes, slashes and angle brackets get quoted.
 91 | 			// Control characters get written as \u00XX.
 92 | 			switch c {
 93 | 			case '\\':
 94 | 				w.Write(jsBackslash)
 95 | 			case '\'':
 96 | 				w.Write(jsApos)
 97 | 			case '"':
 98 | 				w.Write(jsQuot)
 99 | 			case '<':
100 | 				w.Write(jsLt)
101 | 			case '>':
102 | 				w.Write(jsGt)
103 | 			default:
104 | 				w.Write(jsLowUni)
105 | 				t, b := c>>4, c&0x0f
106 | 				w.Write(hex[t : t+1])
107 | 				w.Write(hex[b : b+1])
108 | 			}
109 | 		} else {
110 | 			// Unicode rune.
111 | 			r, size := utf8.DecodeRune(b[i:])
112 | 			if unicode.IsPrint(r) {
113 | 				w.Write(b[i : i+size])
114 | 			} else {
115 | 				fmt.Fprintf(w, "\\u%04X", r)
116 | 			}
117 | 			i += size - 1
118 | 		}
119 | 		last = i + 1
120 | 	}
121 | 	w.Write(b[last:])
122 | }
123 | 
124 | // JSEscapeString returns the escaped JavaScript equivalent of the plain text data s.
125 | func JSEscapeString(s string) string {
126 | 	// Avoid allocation if we can.
127 | 	if strings.IndexFunc(s, jsIsSpecial) < 0 {
128 | 		return s
129 | 	}
130 | 	var b bytes.Buffer
131 | 	JSEscape(&b, []byte(s))
132 | 	return b.String()
133 | }
134 | 
135 | func jsIsSpecial(r rune) bool {
136 | 	switch r {
137 | 	case '\\', '\'', '"', '<', '>':
138 | 		return true
139 | 	}
140 | 	return r < ' ' || utf8.RuneSelf <= r
141 | }
142 | 
143 | // HTMLEscaper returns the escaped HTML equivalent of the textual
144 | // representation of its arguments.
145 | func HTMLEscaper(args ...interface{}) string {
146 | 	ok := false
147 | 	var s string
148 | 	if len(args) == 1 {
149 | 		s, ok = args[0].(string)
150 | 	}
151 | 	if !ok {
152 | 		s = fmt.Sprint(args...)
153 | 	}
154 | 	return HTMLEscapeString(s)
155 | }
156 | 
157 | // JSEscaper returns the escaped JavaScript equivalent of the textual
158 | // representation of its arguments.
159 | func JSEscaper(args ...interface{}) string {
160 | 	ok := false
161 | 	var s string
162 | 	if len(args) == 1 {
163 | 		s, ok = args[0].(string)
164 | 	}
165 | 	if !ok {
166 | 		s = fmt.Sprint(args...)
167 | 	}
168 | 	return JSEscapeString(s)
169 | }
170 | 
171 | // URLQueryEscaper returns the escaped value of the textual representation of
172 | // its arguments in a form suitable for embedding in a URL query.
173 | func URLQueryEscaper(args ...interface{}) string {
174 | 	s, ok := "", false
175 | 	if len(args) == 1 {
176 | 		s, ok = args[0].(string)
177 | 	}
178 | 	if !ok {
179 | 		s = fmt.Sprint(args...)
180 | 	}
181 | 	return url.QueryEscape(s)
182 | }
183 | 


--------------------------------------------------------------------------------
/v0/escape/html.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"fmt"
 10 | 	"strings"
 11 | 	"unicode/utf8"
 12 | )
 13 | 
 14 | // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
 15 | func htmlNospaceEscaper(args ...interface{}) string {
 16 | 	s, t := stringify(args...)
 17 | 	if t == contentTypeHTML {
 18 | 		return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
 19 | 	}
 20 | 	return htmlReplacer(s, htmlNospaceReplacementTable, false)
 21 | }
 22 | 
 23 | // attrEscaper escapes for inclusion in quoted attribute values.
 24 | func attrEscaper(args ...interface{}) string {
 25 | 	s, t := stringify(args...)
 26 | 	if t == contentTypeHTML {
 27 | 		return htmlReplacer(stripTags(s), htmlNormReplacementTable, true)
 28 | 	}
 29 | 	return htmlReplacer(s, htmlReplacementTable, true)
 30 | }
 31 | 
 32 | // rcdataEscaper escapes for inclusion in an RCDATA element body.
 33 | func rcdataEscaper(args ...interface{}) string {
 34 | 	s, t := stringify(args...)
 35 | 	if t == contentTypeHTML {
 36 | 		return htmlReplacer(s, htmlNormReplacementTable, true)
 37 | 	}
 38 | 	return htmlReplacer(s, htmlReplacementTable, true)
 39 | }
 40 | 
 41 | // htmlEscaper escapes for inclusion in HTML text.
 42 | func htmlEscaper(args ...interface{}) string {
 43 | 	s, t := stringify(args...)
 44 | 	if t == contentTypeHTML {
 45 | 		return s
 46 | 	}
 47 | 	return htmlReplacer(s, htmlReplacementTable, true)
 48 | }
 49 | 
 50 | // htmlReplacementTable contains the runes that need to be escaped
 51 | // inside a quoted attribute value or in a text node.
 52 | var htmlReplacementTable = []string{
 53 | 	// http://www.w3.org/TR/html5/tokenization.html#attribute-value-unquoted-state: "
 54 | 	// U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT
 55 | 	// CHARACTER character to the current attribute's value.
 56 | 	// "
 57 | 	// and similarly
 58 | 	// http://www.w3.org/TR/html5/tokenization.html#before-attribute-value-state
 59 | 	0:    "\uFFFD",
 60 | 	'"':  "&#34;",
 61 | 	'&':  "&amp;",
 62 | 	'\'': "&#39;",
 63 | 	'+':  "&#43;",
 64 | 	'<':  "&lt;",
 65 | 	'>':  "&gt;",
 66 | }
 67 | 
 68 | // htmlNormReplacementTable is like htmlReplacementTable but without '&' to
 69 | // avoid over-encoding existing entities.
 70 | var htmlNormReplacementTable = []string{
 71 | 	0:    "\uFFFD",
 72 | 	'"':  "&#34;",
 73 | 	'\'': "&#39;",
 74 | 	'+':  "&#43;",
 75 | 	'<':  "&lt;",
 76 | 	'>':  "&gt;",
 77 | }
 78 | 
 79 | // htmlNospaceReplacementTable contains the runes that need to be escaped
 80 | // inside an unquoted attribute value.
 81 | // The set of runes escaped is the union of the HTML specials and
 82 | // those determined by running the JS below in browsers:
 83 | // <div id=d></div>
 84 | // <script>(function () {
 85 | // var a = [], d = document.getElementById("d"), i, c, s;
 86 | // for (i = 0; i < 0x10000; ++i) {
 87 | //   c = String.fromCharCode(i);
 88 | //   d.innerHTML = "<span title=" + c + "lt" + c + "></span>"
 89 | //   s = d.getElementsByTagName("SPAN")[0];
 90 | //   if (!s || s.title !== c + "lt" + c) { a.push(i.toString(16)); }
 91 | // }
 92 | // document.write(a.join(", "));
 93 | // })()</script>
 94 | var htmlNospaceReplacementTable = []string{
 95 | 	0:    "&#xfffd;",
 96 | 	'\t': "&#9;",
 97 | 	'\n': "&#10;",
 98 | 	'\v': "&#11;",
 99 | 	'\f': "&#12;",
100 | 	'\r': "&#13;",
101 | 	' ':  "&#32;",
102 | 	'"':  "&#34;",
103 | 	'&':  "&amp;",
104 | 	'\'': "&#39;",
105 | 	'+':  "&#43;",
106 | 	'<':  "&lt;",
107 | 	'=':  "&#61;",
108 | 	'>':  "&gt;",
109 | 	// A parse error in the attribute value (unquoted) and
110 | 	// before attribute value states.
111 | 	// Treated as a quoting character by IE.
112 | 	'`': "&#96;",
113 | }
114 | 
115 | // htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but
116 | // without '&' to avoid over-encoding existing entities.
117 | var htmlNospaceNormReplacementTable = []string{
118 | 	0:    "&#xfffd;",
119 | 	'\t': "&#9;",
120 | 	'\n': "&#10;",
121 | 	'\v': "&#11;",
122 | 	'\f': "&#12;",
123 | 	'\r': "&#13;",
124 | 	' ':  "&#32;",
125 | 	'"':  "&#34;",
126 | 	'\'': "&#39;",
127 | 	'+':  "&#43;",
128 | 	'<':  "&lt;",
129 | 	'=':  "&#61;",
130 | 	'>':  "&gt;",
131 | 	// A parse error in the attribute value (unquoted) and
132 | 	// before attribute value states.
133 | 	// Treated as a quoting character by IE.
134 | 	'`': "&#96;",
135 | }
136 | 
137 | // htmlReplacer returns s with runes replaced according to replacementTable
138 | // and when badRunes is true, certain bad runes are allowed through unescaped.
139 | func htmlReplacer(s string, replacementTable []string, badRunes bool) string {
140 | 	written, b := 0, new(bytes.Buffer)
141 | 	for i, r := range s {
142 | 		if int(r) < len(replacementTable) {
143 | 			if repl := replacementTable[r]; len(repl) != 0 {
144 | 				b.WriteString(s[written:i])
145 | 				b.WriteString(repl)
146 | 				// Valid as long as replacementTable doesn't
147 | 				// include anything above 0x7f.
148 | 				written = i + utf8.RuneLen(r)
149 | 			}
150 | 		} else if badRunes {
151 | 			// No-op.
152 | 			// IE does not allow these ranges in unquoted attrs.
153 | 		} else if 0xfdd0 <= r && r <= 0xfdef || 0xfff0 <= r && r <= 0xffff {
154 | 			fmt.Fprintf(b, "%s&#x%x;", s[written:i], r)
155 | 			written = i + utf8.RuneLen(r)
156 | 		}
157 | 	}
158 | 	if written == 0 {
159 | 		return s
160 | 	}
161 | 	b.WriteString(s[written:])
162 | 	return b.String()
163 | }
164 | 
165 | // stripTags takes a snippet of HTML and returns only the text content.
166 | // For example, `<b>&iexcl;Hi!</b> <script>...</script>` -> `&iexcl;Hi! `.
167 | func stripTags(html string) string {
168 | 	var b bytes.Buffer
169 | 	s, c, i, allText := []byte(html), context{}, 0, true
170 | 	// Using the transition funcs helps us avoid mangling
171 | 	// `<div title="1>2">` or `I <3 Ponies!`.
172 | 	for i != len(s) {
173 | 		if c.delim == delimNone {
174 | 			st := c.state
175 | 			// Use RCDATA instead of parsing into JS or CSS styles.
176 | 			if c.element != elementNone && !isInTag(st) {
177 | 				st = stateRCDATA
178 | 			}
179 | 			d, nread := transitionFunc[st](c, s[i:])
180 | 			i1 := i + nread
181 | 			if c.state == stateText || c.state == stateRCDATA {
182 | 				// Emit text up to the start of the tag or comment.
183 | 				j := i1
184 | 				if d.state != c.state {
185 | 					for j1 := j - 1; j1 >= i; j1-- {
186 | 						if s[j1] == '<' {
187 | 							j = j1
188 | 							break
189 | 						}
190 | 					}
191 | 				}
192 | 				b.Write(s[i:j])
193 | 			} else {
194 | 				allText = false
195 | 			}
196 | 			c, i = d, i1
197 | 			continue
198 | 		}
199 | 		i1 := i + bytes.IndexAny(s[i:], delimEnds[c.delim])
200 | 		if i1 < i {
201 | 			break
202 | 		}
203 | 		if c.delim != delimSpaceOrTagEnd {
204 | 			// Consume any quote.
205 | 			i1++
206 | 		}
207 | 		c, i = context{state: stateTag, element: c.element}, i1
208 | 	}
209 | 	if allText {
210 | 		return html
211 | 	} else if c.state == stateText || c.state == stateRCDATA {
212 | 		b.Write(s[i:])
213 | 	}
214 | 	return b.String()
215 | }
216 | 
217 | // htmlNameFilter accepts valid parts of an HTML attribute or tag name or
218 | // a known-safe HTML attribute.
219 | func htmlNameFilter(args ...interface{}) string {
220 | 	s, t := stringify(args...)
221 | 	if t == contentTypeHTMLAttr {
222 | 		return s
223 | 	}
224 | 	if len(s) == 0 {
225 | 		// Avoid violation of structure preservation.
226 | 		// <input checked {{.K}}={{.V}}>.
227 | 		// Without this, if .K is empty then .V is the value of
228 | 		// checked, but otherwise .V is the value of the attribute
229 | 		// named .K.
230 | 		return filterFailsafe
231 | 	}
232 | 	s = strings.ToLower(s)
233 | 	if t := attrType(s); t != contentTypePlain {
234 | 		// TODO: Split attr and element name part filters so we can whitelist
235 | 		// attributes.
236 | 		return filterFailsafe
237 | 	}
238 | 	for _, r := range s {
239 | 		switch {
240 | 		case '0' <= r && r <= '9':
241 | 		case 'a' <= r && r <= 'z':
242 | 		default:
243 | 			return filterFailsafe
244 | 		}
245 | 	}
246 | 	return s
247 | }
248 | 
249 | // commentEscaper returns the empty string regardless of input.
250 | // Comment content does not correspond to any parsed structure or
251 | // human-readable content, so the simplest and most secure policy is to drop
252 | // content interpolated into comments.
253 | // This approach is equally valid whether or not static comment content is
254 | // removed from the template.
255 | func commentEscaper(args ...interface{}) string {
256 | 	return ""
257 | }
258 | 


--------------------------------------------------------------------------------
/v0/escape/html_test.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2011 The Go Authors. All rights reserved.
 2 | // Use of this source code is governed by a BSD-style
 3 | // license that can be found in the LICENSE file.
 4 | 
 5 | package escape
 6 | 
 7 | import (
 8 | 	"html"
 9 | 	"strings"
10 | 	"testing"
11 | )
12 | 
13 | func TestHTMLNospaceEscaper(t *testing.T) {
14 | 	input := ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
15 | 		"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
16 | 		` !"#$%&'()*+,-./` +
17 | 		`0123456789:;<=>?` +
18 | 		`@ABCDEFGHIJKLMNO` +
19 | 		`PQRSTUVWXYZ[\]^_` +
20 | 		"`abcdefghijklmno" +
21 | 		"pqrstuvwxyz{|}~\x7f" +
22 | 		"\u00A0\u0100\u2028\u2029\ufeff\ufdec\U0001D11E")
23 | 
24 | 	want := ("&#xfffd;\x01\x02\x03\x04\x05\x06\x07" +
25 | 		"\x08&#9;&#10;&#11;&#12;&#13;\x0E\x0F" +
26 | 		"\x10\x11\x12\x13\x14\x15\x16\x17" +
27 | 		"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
28 | 		`&#32;!&#34;#$%&amp;&#39;()*&#43;,-./` +
29 | 		`0123456789:;&lt;&#61;&gt;?` +
30 | 		`@ABCDEFGHIJKLMNO` +
31 | 		`PQRSTUVWXYZ[\]^_` +
32 | 		`&#96;abcdefghijklmno` +
33 | 		`pqrstuvwxyz{|}~` + "\u007f" +
34 | 		"\u00A0\u0100\u2028\u2029\ufeff&#xfdec;\U0001D11E")
35 | 
36 | 	got := htmlNospaceEscaper(input)
37 | 	if got != want {
38 | 		t.Errorf("encode: want\n\t%q\nbut got\n\t%q", want, got)
39 | 	}
40 | 
41 | 	got, want = html.UnescapeString(got), strings.Replace(input, "\x00", "\ufffd", 1)
42 | 	if want != got {
43 | 		t.Errorf("decode: want\n\t%q\nbut got\n\t%q", want, got)
44 | 	}
45 | }
46 | 
47 | func TestStripTags(t *testing.T) {
48 | 	tests := []struct {
49 | 		input, want string
50 | 	}{
51 | 		{"", ""},
52 | 		{"Hello, World!", "Hello, World!"},
53 | 		{"foo&amp;bar", "foo&amp;bar"},
54 | 		{`Hello <a href="www.example.com/">World</a>!`, "Hello World!"},
55 | 		{"Foo <textarea>Bar</textarea> Baz", "Foo Bar Baz"},
56 | 		{"Foo <!-- Bar --> Baz", "Foo  Baz"},
57 | 		{"<", "<"},
58 | 		{"foo < bar", "foo < bar"},
59 | 		{`Foo<script type="text/javascript">alert(1337)</script>Bar`, "FooBar"},
60 | 		{`Foo<div title="1>2">Bar`, "FooBar"},
61 | 		{`I <3 Ponies!`, `I <3 Ponies!`},
62 | 		{`<script>foo()</script>`, ``},
63 | 	}
64 | 
65 | 	for _, test := range tests {
66 | 		if got := stripTags(test.input); got != test.want {
67 | 			t.Errorf("%q: want %q, got %q", test.input, test.want, got)
68 | 		}
69 | 	}
70 | }
71 | 
72 | func BenchmarkHTMLNospaceEscaper(b *testing.B) {
73 | 	for i := 0; i < b.N; i++ {
74 | 		htmlNospaceEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
75 | 	}
76 | }
77 | 
78 | func BenchmarkHTMLNospaceEscaperNoSpecials(b *testing.B) {
79 | 	for i := 0; i < b.N; i++ {
80 | 		htmlNospaceEscaper("The_quick,_brown_fox_jumps_over_the_lazy_dog.")
81 | 	}
82 | }
83 | 
84 | func BenchmarkStripTags(b *testing.B) {
85 | 	for i := 0; i < b.N; i++ {
86 | 		stripTags("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
87 | 	}
88 | }
89 | 
90 | func BenchmarkStripTagsNoSpecials(b *testing.B) {
91 | 	for i := 0; i < b.N; i++ {
92 | 		stripTags("The quick, brown fox jumps over the lazy dog.")
93 | 	}
94 | }
95 | 


--------------------------------------------------------------------------------
/v0/escape/js.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"encoding/json"
 10 | 	"fmt"
 11 | 	"reflect"
 12 | 	"strings"
 13 | 	"unicode/utf8"
 14 | )
 15 | 
 16 | // nextJSCtx returns the context that determines whether a slash after the
 17 | // given run of tokens starts a regular expression instead of a division
 18 | // operator: / or /=.
 19 | //
 20 | // This assumes that the token run does not include any string tokens, comment
 21 | // tokens, regular expression literal tokens, or division operators.
 22 | //
 23 | // This fails on some valid but nonsensical JavaScript programs like
 24 | // "x = ++/foo/i" which is quite different than "x++/foo/i", but is not known to
 25 | // fail on any known useful programs. It is based on the draft
 26 | // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
 27 | // http://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
 28 | func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
 29 | 	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
 30 | 	if len(s) == 0 {
 31 | 		return preceding
 32 | 	}
 33 | 
 34 | 	// All cases below are in the single-byte UTF-8 group.
 35 | 	switch c, n := s[len(s)-1], len(s); c {
 36 | 	case '+', '-':
 37 | 		// ++ and -- are not regexp preceders, but + and - are whether
 38 | 		// they are used as infix or prefix operators.
 39 | 		start := n - 1
 40 | 		// Count the number of adjacent dashes or pluses.
 41 | 		for start > 0 && s[start-1] == c {
 42 | 			start--
 43 | 		}
 44 | 		if (n-start)&1 == 1 {
 45 | 			// Reached for trailing minus signs since "---" is the
 46 | 			// same as "-- -".
 47 | 			return jsCtxRegexp
 48 | 		}
 49 | 		return jsCtxDivOp
 50 | 	case '.':
 51 | 		// Handle "42."
 52 | 		if n != 1 && '0' <= s[n-2] && s[n-2] <= '9' {
 53 | 			return jsCtxDivOp
 54 | 		}
 55 | 		return jsCtxRegexp
 56 | 	// Suffixes for all punctuators from section 7.7 of the language spec
 57 | 	// that only end binary operators not handled above.
 58 | 	case ',', '<', '>', '=', '*', '%', '&', '|', '^', '?':
 59 | 		return jsCtxRegexp
 60 | 	// Suffixes for all punctuators from section 7.7 of the language spec
 61 | 	// that are prefix operators not handled above.
 62 | 	case '!', '~':
 63 | 		return jsCtxRegexp
 64 | 	// Matches all the punctuators from section 7.7 of the language spec
 65 | 	// that are open brackets not handled above.
 66 | 	case '(', '[':
 67 | 		return jsCtxRegexp
 68 | 	// Matches all the punctuators from section 7.7 of the language spec
 69 | 	// that precede expression starts.
 70 | 	case ':', ';', '{':
 71 | 		return jsCtxRegexp
 72 | 	// CAVEAT: the close punctuators ('}', ']', ')') precede div ops and
 73 | 	// are handled in the default except for '}' which can precede a
 74 | 	// division op as in
 75 | 	//    ({ valueOf: function () { return 42 } } / 2
 76 | 	// which is valid, but, in practice, developers don't divide object
 77 | 	// literals, so our heuristic works well for code like
 78 | 	//    function () { ... }  /foo/.test(x) && sideEffect();
 79 | 	// The ')' punctuator can precede a regular expression as in
 80 | 	//     if (b) /foo/.test(x) && ...
 81 | 	// but this is much less likely than
 82 | 	//     (a + b) / c
 83 | 	case '}':
 84 | 		return jsCtxRegexp
 85 | 	default:
 86 | 		// Look for an IdentifierName and see if it is a keyword that
 87 | 		// can precede a regular expression.
 88 | 		j := n
 89 | 		for j > 0 && isJSIdentPart(rune(s[j-1])) {
 90 | 			j--
 91 | 		}
 92 | 		if regexpPrecederKeywords[string(s[j:])] {
 93 | 			return jsCtxRegexp
 94 | 		}
 95 | 	}
 96 | 	// Otherwise is a punctuator not listed above, or
 97 | 	// a string which precedes a div op, or an identifier
 98 | 	// which precedes a div op.
 99 | 	return jsCtxDivOp
100 | }
101 | 
102 | // regexPrecederKeywords is a set of reserved JS keywords that can precede a
103 | // regular expression in JS source.
104 | var regexpPrecederKeywords = map[string]bool{
105 | 	"break":      true,
106 | 	"case":       true,
107 | 	"continue":   true,
108 | 	"delete":     true,
109 | 	"do":         true,
110 | 	"else":       true,
111 | 	"finally":    true,
112 | 	"in":         true,
113 | 	"instanceof": true,
114 | 	"return":     true,
115 | 	"throw":      true,
116 | 	"try":        true,
117 | 	"typeof":     true,
118 | 	"void":       true,
119 | }
120 | 
121 | var jsonMarshalType = reflect.TypeOf((*json.Marshaler)(nil)).Elem()
122 | 
123 | // indirectToJSONMarshaler returns the value, after dereferencing as many times
124 | // as necessary to reach the base type (or nil) or an implementation of json.Marshal.
125 | func indirectToJSONMarshaler(a interface{}) interface{} {
126 | 	v := reflect.ValueOf(a)
127 | 	for !v.Type().Implements(jsonMarshalType) && v.Kind() == reflect.Ptr && !v.IsNil() {
128 | 		v = v.Elem()
129 | 	}
130 | 	return v.Interface()
131 | }
132 | 
133 | // jsValEscaper escapes its inputs to a JS Expression (section 11.14) that has
134 | // neither side-effects nor free variables outside (NaN, Infinity).
135 | func jsValEscaper(args ...interface{}) string {
136 | 	var a interface{}
137 | 	if len(args) == 1 {
138 | 		a = indirectToJSONMarshaler(args[0])
139 | 		switch t := a.(type) {
140 | 		case JS:
141 | 			return string(t)
142 | 		case JSStr:
143 | 			// TODO: normalize quotes.
144 | 			return `"` + string(t) + `"`
145 | 		case json.Marshaler:
146 | 			// Do not treat as a Stringer.
147 | 		case fmt.Stringer:
148 | 			a = t.String()
149 | 		}
150 | 	} else {
151 | 		for i, arg := range args {
152 | 			args[i] = indirectToJSONMarshaler(arg)
153 | 		}
154 | 		a = fmt.Sprint(args...)
155 | 	}
156 | 	// TODO: detect cycles before calling Marshal which loops infinitely on
157 | 	// cyclic data. This may be an unacceptable DoS risk.
158 | 
159 | 	b, err := json.Marshal(a)
160 | 	if err != nil {
161 | 		// Put a space before comment so that if it is flush against
162 | 		// a division operator it is not turned into a line comment:
163 | 		//     x/{{y}}
164 | 		// turning into
165 | 		//     x//* error marshalling y:
166 | 		//          second line of error message */null
167 | 		return fmt.Sprintf(" /* %s */null ", strings.Replace(err.Error(), "*/", "* /", -1))
168 | 	}
169 | 
170 | 	// TODO: maybe post-process output to prevent it from containing
171 | 	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
172 | 	// in case custom marshallers produce output containing those.
173 | 
174 | 	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
175 | 	if len(b) == 0 {
176 | 		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
177 | 		// not cause the output `x=y/*z`.
178 | 		return " null "
179 | 	}
180 | 	first, _ := utf8.DecodeRune(b)
181 | 	last, _ := utf8.DecodeLastRune(b)
182 | 	var buf bytes.Buffer
183 | 	// Prevent IdentifierNames and NumericLiterals from running into
184 | 	// keywords: in, instanceof, typeof, void
185 | 	pad := isJSIdentPart(first) || isJSIdentPart(last)
186 | 	if pad {
187 | 		buf.WriteByte(' ')
188 | 	}
189 | 	written := 0
190 | 	// Make sure that json.Marshal escapes codepoints U+2028 & U+2029
191 | 	// so it falls within the subset of JSON which is valid JS.
192 | 	for i := 0; i < len(b); {
193 | 		rune, n := utf8.DecodeRune(b[i:])
194 | 		repl := ""
195 | 		if rune == 0x2028 {
196 | 			repl = `\u2028`
197 | 		} else if rune == 0x2029 {
198 | 			repl = `\u2029`
199 | 		}
200 | 		if repl != "" {
201 | 			buf.Write(b[written:i])
202 | 			buf.WriteString(repl)
203 | 			written = i + n
204 | 		}
205 | 		i += n
206 | 	}
207 | 	if buf.Len() != 0 {
208 | 		buf.Write(b[written:])
209 | 		if pad {
210 | 			buf.WriteByte(' ')
211 | 		}
212 | 		b = buf.Bytes()
213 | 	}
214 | 	return string(b)
215 | }
216 | 
217 | // jsStrEscaper produces a string that can be included between quotes in
218 | // JavaScript source, in JavaScript embedded in an HTML5 <script> element,
219 | // or in an HTML5 event handler attribute such as onclick.
220 | func jsStrEscaper(args ...interface{}) string {
221 | 	s, t := stringify(args...)
222 | 	if t == contentTypeJSStr {
223 | 		return replace(s, jsStrNormReplacementTable)
224 | 	}
225 | 	return replace(s, jsStrReplacementTable)
226 | }
227 | 
228 | // jsRegexpEscaper behaves like jsStrEscaper but escapes regular expression
229 | // specials so the result is treated literally when included in a regular
230 | // expression literal. /foo{{.X}}bar/ matches the string "foo" followed by
231 | // the literal text of {{.X}} followed by the string "bar".
232 | func jsRegexpEscaper(args ...interface{}) string {
233 | 	s, _ := stringify(args...)
234 | 	s = replace(s, jsRegexpReplacementTable)
235 | 	if s == "" {
236 | 		// /{{.X}}/ should not produce a line comment when .X == "".
237 | 		return "(?:)"
238 | 	}
239 | 	return s
240 | }
241 | 
242 | // replace replaces each rune r of s with replacementTable[r], provided that
243 | // r < len(replacementTable). If replacementTable[r] is the empty string then
244 | // no replacement is made.
245 | // It also replaces runes U+2028 and U+2029 with the raw strings `\u2028` and
246 | // `\u2029`.
247 | func replace(s string, replacementTable []string) string {
248 | 	var b bytes.Buffer
249 | 	written := 0
250 | 	for i, r := range s {
251 | 		var repl string
252 | 		switch {
253 | 		case int(r) < len(replacementTable) && replacementTable[r] != "":
254 | 			repl = replacementTable[r]
255 | 		case r == '\u2028':
256 | 			repl = `\u2028`
257 | 		case r == '\u2029':
258 | 			repl = `\u2029`
259 | 		default:
260 | 			continue
261 | 		}
262 | 		b.WriteString(s[written:i])
263 | 		b.WriteString(repl)
264 | 		written = i + utf8.RuneLen(r)
265 | 	}
266 | 	if written == 0 {
267 | 		return s
268 | 	}
269 | 	b.WriteString(s[written:])
270 | 	return b.String()
271 | }
272 | 
273 | var jsStrReplacementTable = []string{
274 | 	0:    `\0`,
275 | 	'\t': `\t`,
276 | 	'\n': `\n`,
277 | 	'\v': `\x0b`, // "\v" == "v" on IE 6.
278 | 	'\f': `\f`,
279 | 	'\r': `\r`,
280 | 	// Encode HTML specials as hex so the output can be embedded
281 | 	// in HTML attributes without further encoding.
282 | 	'"':  `\x22`,
283 | 	'&':  `\x26`,
284 | 	'\'': `\x27`,
285 | 	'+':  `\x2b`,
286 | 	'/':  `\/`,
287 | 	'<':  `\x3c`,
288 | 	'>':  `\x3e`,
289 | 	'\\': `\\`,
290 | }
291 | 
292 | // jsStrNormReplacementTable is like jsStrReplacementTable but does not
293 | // overencode existing escapes since this table has no entry for `\`.
294 | var jsStrNormReplacementTable = []string{
295 | 	0:    `\0`,
296 | 	'\t': `\t`,
297 | 	'\n': `\n`,
298 | 	'\v': `\x0b`, // "\v" == "v" on IE 6.
299 | 	'\f': `\f`,
300 | 	'\r': `\r`,
301 | 	// Encode HTML specials as hex so the output can be embedded
302 | 	// in HTML attributes without further encoding.
303 | 	'"':  `\x22`,
304 | 	'&':  `\x26`,
305 | 	'\'': `\x27`,
306 | 	'+':  `\x2b`,
307 | 	'/':  `\/`,
308 | 	'<':  `\x3c`,
309 | 	'>':  `\x3e`,
310 | }
311 | 
312 | var jsRegexpReplacementTable = []string{
313 | 	0:    `\0`,
314 | 	'\t': `\t`,
315 | 	'\n': `\n`,
316 | 	'\v': `\x0b`, // "\v" == "v" on IE 6.
317 | 	'\f': `\f`,
318 | 	'\r': `\r`,
319 | 	// Encode HTML specials as hex so the output can be embedded
320 | 	// in HTML attributes without further encoding.
321 | 	'"':  `\x22`,
322 | 	'$':  `\$`,
323 | 	'&':  `\x26`,
324 | 	'\'': `\x27`,
325 | 	'(':  `\(`,
326 | 	')':  `\)`,
327 | 	'*':  `\*`,
328 | 	'+':  `\x2b`,
329 | 	'-':  `\-`,
330 | 	'.':  `\.`,
331 | 	'/':  `\/`,
332 | 	'<':  `\x3c`,
333 | 	'>':  `\x3e`,
334 | 	'?':  `\?`,
335 | 	'[':  `\[`,
336 | 	'\\': `\\`,
337 | 	']':  `\]`,
338 | 	'^':  `\^`,
339 | 	'{':  `\{`,
340 | 	'|':  `\|`,
341 | 	'}':  `\}`,
342 | }
343 | 
344 | // isJSIdentPart returns whether the given rune is a JS identifier part.
345 | // It does not handle all the non-Latin letters, joiners, and combining marks,
346 | // but it does handle every codepoint that can occur in a numeric literal or
347 | // a keyword.
348 | func isJSIdentPart(r rune) bool {
349 | 	switch {
350 | 	case r == '$':
351 | 		return true
352 | 	case '0' <= r && r <= '9':
353 | 		return true
354 | 	case 'A' <= r && r <= 'Z':
355 | 		return true
356 | 	case r == '_':
357 | 		return true
358 | 	case 'a' <= r && r <= 'z':
359 | 		return true
360 | 	}
361 | 	return false
362 | }
363 | 


--------------------------------------------------------------------------------
/v0/escape/js_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"math"
 10 | 	"strings"
 11 | 	"testing"
 12 | )
 13 | 
 14 | func TestNextJsCtx(t *testing.T) {
 15 | 	tests := []struct {
 16 | 		jsCtx jsCtx
 17 | 		s     string
 18 | 	}{
 19 | 		// Statement terminators precede regexps.
 20 | 		{jsCtxRegexp, ";"},
 21 | 		// This is not airtight.
 22 | 		//     ({ valueOf: function () { return 1 } } / 2)
 23 | 		// is valid JavaScript but in practice, devs do not do this.
 24 | 		// A block followed by a statement starting with a RegExp is
 25 | 		// much more common:
 26 | 		//     while (x) {...} /foo/.test(x) || panic()
 27 | 		{jsCtxRegexp, "}"},
 28 | 		// But member, call, grouping, and array expression terminators
 29 | 		// precede div ops.
 30 | 		{jsCtxDivOp, ")"},
 31 | 		{jsCtxDivOp, "]"},
 32 | 		// At the start of a primary expression, array, or expression
 33 | 		// statement, expect a regexp.
 34 | 		{jsCtxRegexp, "("},
 35 | 		{jsCtxRegexp, "["},
 36 | 		{jsCtxRegexp, "{"},
 37 | 		// Assignment operators precede regexps as do all exclusively
 38 | 		// prefix and binary operators.
 39 | 		{jsCtxRegexp, "="},
 40 | 		{jsCtxRegexp, "+="},
 41 | 		{jsCtxRegexp, "*="},
 42 | 		{jsCtxRegexp, "*"},
 43 | 		{jsCtxRegexp, "!"},
 44 | 		// Whether the + or - is infix or prefix, it cannot precede a
 45 | 		// div op.
 46 | 		{jsCtxRegexp, "+"},
 47 | 		{jsCtxRegexp, "-"},
 48 | 		// An incr/decr op precedes a div operator.
 49 | 		// This is not airtight. In (g = ++/h/i) a regexp follows a
 50 | 		// pre-increment operator, but in practice devs do not try to
 51 | 		// increment or decrement regular expressions.
 52 | 		// (g++/h/i) where ++ is a postfix operator on g is much more
 53 | 		// common.
 54 | 		{jsCtxDivOp, "--"},
 55 | 		{jsCtxDivOp, "++"},
 56 | 		{jsCtxDivOp, "x--"},
 57 | 		// When we have many dashes or pluses, then they are grouped
 58 | 		// left to right.
 59 | 		{jsCtxRegexp, "x---"}, // A postfix -- then a -.
 60 | 		// return followed by a slash returns the regexp literal or the
 61 | 		// slash starts a regexp literal in an expression statement that
 62 | 		// is dead code.
 63 | 		{jsCtxRegexp, "return"},
 64 | 		{jsCtxRegexp, "return "},
 65 | 		{jsCtxRegexp, "return\t"},
 66 | 		{jsCtxRegexp, "return\n"},
 67 | 		{jsCtxRegexp, "return\u2028"},
 68 | 		// Identifiers can be divided and cannot validly be preceded by
 69 | 		// a regular expressions. Semicolon insertion cannot happen
 70 | 		// between an identifier and a regular expression on a new line
 71 | 		// because the one token lookahead for semicolon insertion has
 72 | 		// to conclude that it could be a div binary op and treat it as
 73 | 		// such.
 74 | 		{jsCtxDivOp, "x"},
 75 | 		{jsCtxDivOp, "x "},
 76 | 		{jsCtxDivOp, "x\t"},
 77 | 		{jsCtxDivOp, "x\n"},
 78 | 		{jsCtxDivOp, "x\u2028"},
 79 | 		{jsCtxDivOp, "preturn"},
 80 | 		// Numbers precede div ops.
 81 | 		{jsCtxDivOp, "0"},
 82 | 		// Dots that are part of a number are div preceders.
 83 | 		{jsCtxDivOp, "0."},
 84 | 	}
 85 | 
 86 | 	for _, test := range tests {
 87 | 		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
 88 | 			t.Errorf("want %s got %q", test.jsCtx, test.s)
 89 | 		}
 90 | 		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
 91 | 			t.Errorf("want %s got %q", test.jsCtx, test.s)
 92 | 		}
 93 | 	}
 94 | 
 95 | 	if nextJSCtx([]byte("   "), jsCtxRegexp) != jsCtxRegexp {
 96 | 		t.Error("Blank tokens")
 97 | 	}
 98 | 
 99 | 	if nextJSCtx([]byte("   "), jsCtxDivOp) != jsCtxDivOp {
100 | 		t.Error("Blank tokens")
101 | 	}
102 | }
103 | 
104 | func TestJSValEscaper(t *testing.T) {
105 | 	tests := []struct {
106 | 		x  interface{}
107 | 		js string
108 | 	}{
109 | 		{int(42), " 42 "},
110 | 		{uint(42), " 42 "},
111 | 		{int16(42), " 42 "},
112 | 		{uint16(42), " 42 "},
113 | 		{int32(-42), " -42 "},
114 | 		{uint32(42), " 42 "},
115 | 		{int16(-42), " -42 "},
116 | 		{uint16(42), " 42 "},
117 | 		{int64(-42), " -42 "},
118 | 		{uint64(42), " 42 "},
119 | 		{uint64(1) << 53, " 9007199254740992 "},
120 | 		// ulp(1 << 53) > 1 so this loses precision in JS
121 | 		// but it is still a representable integer literal.
122 | 		{uint64(1)<<53 + 1, " 9007199254740993 "},
123 | 		{float32(1.0), " 1 "},
124 | 		{float32(-1.0), " -1 "},
125 | 		{float32(0.5), " 0.5 "},
126 | 		{float32(-0.5), " -0.5 "},
127 | 		{float32(1.0) / float32(256), " 0.00390625 "},
128 | 		{float32(0), " 0 "},
129 | 		{math.Copysign(0, -1), " -0 "},
130 | 		{float64(1.0), " 1 "},
131 | 		{float64(-1.0), " -1 "},
132 | 		{float64(0.5), " 0.5 "},
133 | 		{float64(-0.5), " -0.5 "},
134 | 		{float64(0), " 0 "},
135 | 		{math.Copysign(0, -1), " -0 "},
136 | 		{"", `""`},
137 | 		{"foo", `"foo"`},
138 | 		// Newlines.
139 | 		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
140 | 		// "\v" == "v" on IE 6 so use "\x0b" instead.
141 | 		{"\t\x0b", `"\u0009\u000b"`},
142 | 		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
143 | 		{[]interface{}{}, "[]"},
144 | 		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
145 | 		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
146 | 		{"<!--", `"\u003c!--"`},
147 | 		{"-->", `"--\u003e"`},
148 | 		{"<![CDATA[", `"\u003c![CDATA["`},
149 | 		{"]]>", `"]]\u003e"`},
150 | 		{"</script", `"\u003c/script"`},
151 | 		{"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
152 | 	}
153 | 
154 | 	for _, test := range tests {
155 | 		if js := jsValEscaper(test.x); js != test.js {
156 | 			t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
157 | 		}
158 | 		// Make sure that escaping corner cases are not broken
159 | 		// by nesting.
160 | 		a := []interface{}{test.x}
161 | 		want := "[" + strings.TrimSpace(test.js) + "]"
162 | 		if js := jsValEscaper(a); js != want {
163 | 			t.Errorf("%+v: want\n\t%q\ngot\n\t%q", a, want, js)
164 | 		}
165 | 	}
166 | }
167 | 
168 | func TestJSStrEscaper(t *testing.T) {
169 | 	tests := []struct {
170 | 		x   interface{}
171 | 		esc string
172 | 	}{
173 | 		{"", ``},
174 | 		{"foo", `foo`},
175 | 		{"\u0000", `\0`},
176 | 		{"\t", `\t`},
177 | 		{"\n", `\n`},
178 | 		{"\r", `\r`},
179 | 		{"\u2028", `\u2028`},
180 | 		{"\u2029", `\u2029`},
181 | 		{"\\", `\\`},
182 | 		{"\\n", `\\n`},
183 | 		{"foo\r\nbar", `foo\r\nbar`},
184 | 		// Preserve attribute boundaries.
185 | 		{`"`, `\x22`},
186 | 		{`'`, `\x27`},
187 | 		// Allow embedding in HTML without further escaping.
188 | 		{`&amp;`, `\x26amp;`},
189 | 		// Prevent breaking out of text node and element boundaries.
190 | 		{"</script>", `\x3c\/script\x3e`},
191 | 		{"<![CDATA[", `\x3c![CDATA[`},
192 | 		{"]]>", `]]\x3e`},
193 | 		// http://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
194 | 		//   "The text in style, script, title, and textarea elements
195 | 		//   must not have an escaping text span start that is not
196 | 		//   followed by an escaping text span end."
197 | 		// Furthermore, spoofing an escaping text span end could lead
198 | 		// to different interpretation of a </script> sequence otherwise
199 | 		// masked by the escaping text span, and spoofing a start could
200 | 		// allow regular text content to be interpreted as script
201 | 		// allowing script execution via a combination of a JS string
202 | 		// injection followed by an HTML text injection.
203 | 		{"<!--", `\x3c!--`},
204 | 		{"-->", `--\x3e`},
205 | 		// From http://code.google.com/p/doctype/wiki/ArticleUtf7
206 | 		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
207 | 			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
208 | 		},
209 | 		// Invalid UTF-8 sequence
210 | 		{"foo\xA0bar", "foo\xA0bar"},
211 | 		// Invalid unicode scalar value.
212 | 		{"foo\xed\xa0\x80bar", "foo\xed\xa0\x80bar"},
213 | 	}
214 | 
215 | 	for _, test := range tests {
216 | 		esc := jsStrEscaper(test.x)
217 | 		if esc != test.esc {
218 | 			t.Errorf("%q: want %q got %q", test.x, test.esc, esc)
219 | 		}
220 | 	}
221 | }
222 | 
223 | func TestJSRegexpEscaper(t *testing.T) {
224 | 	tests := []struct {
225 | 		x   interface{}
226 | 		esc string
227 | 	}{
228 | 		{"", `(?:)`},
229 | 		{"foo", `foo`},
230 | 		{"\u0000", `\0`},
231 | 		{"\t", `\t`},
232 | 		{"\n", `\n`},
233 | 		{"\r", `\r`},
234 | 		{"\u2028", `\u2028`},
235 | 		{"\u2029", `\u2029`},
236 | 		{"\\", `\\`},
237 | 		{"\\n", `\\n`},
238 | 		{"foo\r\nbar", `foo\r\nbar`},
239 | 		// Preserve attribute boundaries.
240 | 		{`"`, `\x22`},
241 | 		{`'`, `\x27`},
242 | 		// Allow embedding in HTML without further escaping.
243 | 		{`&amp;`, `\x26amp;`},
244 | 		// Prevent breaking out of text node and element boundaries.
245 | 		{"</script>", `\x3c\/script\x3e`},
246 | 		{"<![CDATA[", `\x3c!\[CDATA\[`},
247 | 		{"]]>", `\]\]\x3e`},
248 | 		// Escaping text spans.
249 | 		{"<!--", `\x3c!\-\-`},
250 | 		{"-->", `\-\-\x3e`},
251 | 		{"*", `\*`},
252 | 		{"+", `\x2b`},
253 | 		{"?", `\?`},
254 | 		{"[](){}", `\[\]\(\)\{\}`},
255 | 		{"$foo|x.y", `\$foo\|x\.y`},
256 | 		{"x^y", `x\^y`},
257 | 	}
258 | 
259 | 	for _, test := range tests {
260 | 		esc := jsRegexpEscaper(test.x)
261 | 		if esc != test.esc {
262 | 			t.Errorf("%q: want %q got %q", test.x, test.esc, esc)
263 | 		}
264 | 	}
265 | }
266 | 
267 | func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
268 | 	input := ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
269 | 		"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
270 | 		` !"#$%&'()*+,-./` +
271 | 		`0123456789:;<=>?` +
272 | 		`@ABCDEFGHIJKLMNO` +
273 | 		`PQRSTUVWXYZ[\]^_` +
274 | 		"`abcdefghijklmno" +
275 | 		"pqrstuvwxyz{|}~\x7f" +
276 | 		"\u00A0\u0100\u2028\u2029\ufeff\U0001D11E")
277 | 
278 | 	tests := []struct {
279 | 		name    string
280 | 		escaper func(...interface{}) string
281 | 		escaped string
282 | 	}{
283 | 		{
284 | 			"jsStrEscaper",
285 | 			jsStrEscaper,
286 | 			"\\0\x01\x02\x03\x04\x05\x06\x07" +
287 | 				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
288 | 				"\x10\x11\x12\x13\x14\x15\x16\x17" +
289 | 				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
290 | 				` !\x22#$%\x26\x27()*\x2b,-.\/` +
291 | 				`0123456789:;\x3c=\x3e?` +
292 | 				`@ABCDEFGHIJKLMNO` +
293 | 				`PQRSTUVWXYZ[\\]^_` +
294 | 				"`abcdefghijklmno" +
295 | 				"pqrstuvwxyz{|}~\x7f" +
296 | 				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
297 | 		},
298 | 		{
299 | 			"jsRegexpEscaper",
300 | 			jsRegexpEscaper,
301 | 			"\\0\x01\x02\x03\x04\x05\x06\x07" +
302 | 				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
303 | 				"\x10\x11\x12\x13\x14\x15\x16\x17" +
304 | 				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
305 | 				` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
306 | 				`0123456789:;\x3c=\x3e\?` +
307 | 				`@ABCDEFGHIJKLMNO` +
308 | 				`PQRSTUVWXYZ\[\\\]\^_` +
309 | 				"`abcdefghijklmno" +
310 | 				`pqrstuvwxyz\{\|\}~` + "\u007f" +
311 | 				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
312 | 		},
313 | 	}
314 | 
315 | 	for _, test := range tests {
316 | 		if s := test.escaper(input); s != test.escaped {
317 | 			t.Errorf("%s once: want\n\t%q\ngot\n\t%q", test.name, test.escaped, s)
318 | 			continue
319 | 		}
320 | 
321 | 		// Escape it rune by rune to make sure that any
322 | 		// fast-path checking does not break escaping.
323 | 		var buf bytes.Buffer
324 | 		for _, c := range input {
325 | 			buf.WriteString(test.escaper(string(c)))
326 | 		}
327 | 
328 | 		if s := buf.String(); s != test.escaped {
329 | 			t.Errorf("%s rune-wise: want\n\t%q\ngot\n\t%q", test.name, test.escaped, s)
330 | 			continue
331 | 		}
332 | 	}
333 | }
334 | 
335 | func TestJSEscaping(t *testing.T) {
336 | 	testCases := []struct {
337 | 		in, exp string
338 | 	}{
339 | 		{`a`, `a`},
340 | 		{`'foo`, `\'foo`},
341 | 		{`Go "jump" \`, `Go \"jump\" \\`},
342 | 		{`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
343 | 		{"unprintable \uFDFF", `unprintable \uFDFF`},
344 | 		{`<html>`, `\x3Chtml\x3E`},
345 | 	}
346 | 	for _, tc := range testCases {
347 | 		s := JSEscapeString(tc.in)
348 | 		if s != tc.exp {
349 | 			t.Errorf("JS escaping [%s] got [%s] want [%s]", tc.in, s, tc.exp)
350 | 		}
351 | 	}
352 | }
353 | 
354 | func BenchmarkJSValEscaperWithNum(b *testing.B) {
355 | 	for i := 0; i < b.N; i++ {
356 | 		jsValEscaper(3.141592654)
357 | 	}
358 | }
359 | 
360 | func BenchmarkJSValEscaperWithStr(b *testing.B) {
361 | 	for i := 0; i < b.N; i++ {
362 | 		jsValEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
363 | 	}
364 | }
365 | 
366 | func BenchmarkJSValEscaperWithStrNoSpecials(b *testing.B) {
367 | 	for i := 0; i < b.N; i++ {
368 | 		jsValEscaper("The quick, brown fox jumps over the lazy dog")
369 | 	}
370 | }
371 | 
372 | func BenchmarkJSValEscaperWithObj(b *testing.B) {
373 | 	o := struct {
374 | 		S string
375 | 		N int
376 | 	}{
377 | 		"The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>\u2028",
378 | 		42,
379 | 	}
380 | 	for i := 0; i < b.N; i++ {
381 | 		jsValEscaper(o)
382 | 	}
383 | }
384 | 
385 | func BenchmarkJSValEscaperWithObjNoSpecials(b *testing.B) {
386 | 	o := struct {
387 | 		S string
388 | 		N int
389 | 	}{
390 | 		"The quick, brown fox jumps over the lazy dog",
391 | 		42,
392 | 	}
393 | 	for i := 0; i < b.N; i++ {
394 | 		jsValEscaper(o)
395 | 	}
396 | }
397 | 
398 | func BenchmarkJSStrEscaperNoSpecials(b *testing.B) {
399 | 	for i := 0; i < b.N; i++ {
400 | 		jsStrEscaper("The quick, brown fox jumps over the lazy dog.")
401 | 	}
402 | }
403 | 
404 | func BenchmarkJSStrEscaper(b *testing.B) {
405 | 	for i := 0; i < b.N; i++ {
406 | 		jsStrEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
407 | 	}
408 | }
409 | 
410 | func BenchmarkJSRegexpEscaperNoSpecials(b *testing.B) {
411 | 	for i := 0; i < b.N; i++ {
412 | 		jsRegexpEscaper("The quick, brown fox jumps over the lazy dog")
413 | 	}
414 | }
415 | 
416 | func BenchmarkJSRegexpEscaper(b *testing.B) {
417 | 	for i := 0; i < b.N; i++ {
418 | 		jsRegexpEscaper("The <i>quick</i>,\r\n<span style='color:brown'>brown</span> fox jumps\u2028over the <canine class=\"lazy\">dog</canine>")
419 | 	}
420 | }
421 | 


--------------------------------------------------------------------------------
/v0/escape/pipeline.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"github.com/gorilla/template/v0/parse"
  9 | )
 10 | 
 11 | // redundantFuncs[a][b] implies that FuncMap[b](FuncMap[a](x)) == FuncMap[a](x)
 12 | // for all x.
 13 | var redundantFuncs = map[string]map[string]bool{
 14 | 	"html_template_commentescaper": {
 15 | 		"html_template_attrescaper":    true,
 16 | 		"html_template_nospaceescaper": true,
 17 | 		"html_template_htmlescaper":    true,
 18 | 	},
 19 | 	"html_template_cssescaper": {
 20 | 		"html_template_attrescaper": true,
 21 | 	},
 22 | 	"html_template_jsregexpescaper": {
 23 | 		"html_template_attrescaper": true,
 24 | 	},
 25 | 	"html_template_jsstrescaper": {
 26 | 		"html_template_attrescaper": true,
 27 | 	},
 28 | 	"html_template_urlescaper": {
 29 | 		"html_template_urlnormalizer": true,
 30 | 	},
 31 | }
 32 | 
 33 | // equivEscapers matches contextual escapers to equivalent template builtins.
 34 | var equivEscapers = map[string]string{
 35 | 	"html_template_attrescaper":    "html",
 36 | 	"html_template_htmlescaper":    "html",
 37 | 	"html_template_nospaceescaper": "html",
 38 | 	"html_template_rcdataescaper":  "html",
 39 | 	"html_template_urlescaper":     "urlquery",
 40 | 	"html_template_urlnormalizer":  "urlquery",
 41 | }
 42 | 
 43 | // ensurePipelineContains ensures that the pipeline has commands with
 44 | // the identifiers in s in order.
 45 | // If the pipeline already has some of the sanitizers, do not interfere.
 46 | // For example, if p is (.X | html) and s is ["escapeJSVal", "html"] then it
 47 | // has one matching, "html", and one to insert, "escapeJSVal", to produce
 48 | // (.X | escapeJSVal | html).
 49 | func ensurePipelineContains(p *parse.PipeNode, s []string) {
 50 | 	if len(s) == 0 {
 51 | 		return
 52 | 	}
 53 | 	n := len(p.Cmds)
 54 | 	// Find the identifiers at the end of the command chain.
 55 | 	idents := p.Cmds
 56 | 	for i := n - 1; i >= 0; i-- {
 57 | 		if cmd := p.Cmds[i]; len(cmd.Args) != 0 {
 58 | 			if id, ok := cmd.Args[0].(*parse.IdentifierNode); ok {
 59 | 				if id.Ident == "noescape" {
 60 | 					return
 61 | 				}
 62 | 				continue
 63 | 			}
 64 | 		}
 65 | 		idents = p.Cmds[i+1:]
 66 | 	}
 67 | 	dups := 0
 68 | 	for _, id := range idents {
 69 | 		if escFnsEq(s[dups], (id.Args[0].(*parse.IdentifierNode)).Ident) {
 70 | 			dups++
 71 | 			if dups == len(s) {
 72 | 				return
 73 | 			}
 74 | 		}
 75 | 	}
 76 | 	newCmds := make([]*parse.CommandNode, n-len(idents), n+len(s)-dups)
 77 | 	copy(newCmds, p.Cmds)
 78 | 	// Merge existing identifier commands with the sanitizers needed.
 79 | 	for _, id := range idents {
 80 | 		pos := id.Args[0].Position()
 81 | 		i := indexOfStr((id.Args[0].(*parse.IdentifierNode)).Ident, s, escFnsEq)
 82 | 		if i != -1 {
 83 | 			for _, name := range s[:i] {
 84 | 				newCmds = appendCmd(newCmds, newIdentCmd(name, pos))
 85 | 			}
 86 | 			s = s[i+1:]
 87 | 		}
 88 | 		newCmds = appendCmd(newCmds, id)
 89 | 	}
 90 | 	// Create any remaining sanitizers.
 91 | 	for _, name := range s {
 92 | 		newCmds = appendCmd(newCmds, newIdentCmd(name, p.Position()))
 93 | 	}
 94 | 	p.Cmds = newCmds
 95 | }
 96 | 
 97 | // escFnsEq returns whether the two escaping functions are equivalent.
 98 | func escFnsEq(a, b string) bool {
 99 | 	if e := equivEscapers[a]; e != "" {
100 | 		a = e
101 | 	}
102 | 	if e := equivEscapers[b]; e != "" {
103 | 		b = e
104 | 	}
105 | 	return a == b
106 | }
107 | 
108 | // indexOfStr is the first i such that eq(s, strs[i]) or -1 if s was not found.
109 | func indexOfStr(s string, strs []string, eq func(a, b string) bool) int {
110 | 	for i, t := range strs {
111 | 		if eq(s, t) {
112 | 			return i
113 | 		}
114 | 	}
115 | 	return -1
116 | }
117 | 
118 | // appendCmd appends the given command to the end of the command pipeline
119 | // unless it is redundant with the last command.
120 | func appendCmd(cmds []*parse.CommandNode, cmd *parse.CommandNode) []*parse.CommandNode {
121 | 	if n := len(cmds); n != 0 {
122 | 		last, ok := cmds[n-1].Args[0].(*parse.IdentifierNode)
123 | 		next, _ := cmd.Args[0].(*parse.IdentifierNode)
124 | 		if ok && redundantFuncs[last.Ident][next.Ident] {
125 | 			return cmds
126 | 		}
127 | 	}
128 | 	return append(cmds, cmd)
129 | }
130 | 
131 | // newIdentCmd produces a command containing a single identifier node.
132 | func newIdentCmd(identifier string, pos parse.Pos) *parse.CommandNode {
133 | 	return &parse.CommandNode{
134 | 		NodeType: parse.NodeCommand,
135 | 		Args:     []parse.Node{parse.NewIdentifier(identifier).SetPos(pos)},
136 | 	}
137 | }
138 | 


--------------------------------------------------------------------------------
/v0/escape/pipeline_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"testing"
 10 | 
 11 | 	"github.com/gorilla/template/v0/parse"
 12 | )
 13 | 
 14 | func TestensurePipelineContains(t *testing.T) {
 15 | 	tests := []struct {
 16 | 		input, output string
 17 | 		ids           []string
 18 | 	}{
 19 | 		{
 20 | 			"{{.X}}",
 21 | 			".X",
 22 | 			[]string{},
 23 | 		},
 24 | 		{
 25 | 			"{{.X | html}}",
 26 | 			".X | html",
 27 | 			[]string{},
 28 | 		},
 29 | 		{
 30 | 			"{{.X}}",
 31 | 			".X | html",
 32 | 			[]string{"html"},
 33 | 		},
 34 | 		{
 35 | 			"{{.X | html}}",
 36 | 			".X | html | urlquery",
 37 | 			[]string{"urlquery"},
 38 | 		},
 39 | 		{
 40 | 			"{{.X | html | urlquery}}",
 41 | 			".X | html | urlquery",
 42 | 			[]string{"urlquery"},
 43 | 		},
 44 | 		{
 45 | 			"{{.X | html | urlquery}}",
 46 | 			".X | html | urlquery",
 47 | 			[]string{"html", "urlquery"},
 48 | 		},
 49 | 		{
 50 | 			"{{.X | html | urlquery}}",
 51 | 			".X | html | urlquery",
 52 | 			[]string{"html"},
 53 | 		},
 54 | 		{
 55 | 			"{{.X | urlquery}}",
 56 | 			".X | html | urlquery",
 57 | 			[]string{"html", "urlquery"},
 58 | 		},
 59 | 		{
 60 | 			"{{.X | html | print}}",
 61 | 			".X | urlquery | html | print",
 62 | 			[]string{"urlquery", "html"},
 63 | 		},
 64 | 		{
 65 | 			"{{($).X | html | print}}",
 66 | 			"($).X | urlquery | html | print",
 67 | 			[]string{"urlquery", "html"},
 68 | 		},
 69 | 	}
 70 | 	for i, test := range tests {
 71 | 		text := fmt.Sprintf(`{{define "t"}}%s{{end}}`, test.input)
 72 | 		// fake funcs just for the test.
 73 | 		funcs := map[string]interface{}{
 74 | 			"html":     true,
 75 | 			"print":    true,
 76 | 			"urlquery": true,
 77 | 		}
 78 | 		tree, err := parse.Parse("", text, "", "", funcs, FuncMap)
 79 | 		if err != nil {
 80 | 			t.Errorf("#%d: parsing error: %v", i, err)
 81 | 			continue
 82 | 		}
 83 | 		action, ok := (tree["t"].List.Nodes[0].(*parse.ActionNode))
 84 | 		if !ok {
 85 | 			t.Errorf("#%d: First node is not an action: %s", i, text)
 86 | 			continue
 87 | 		}
 88 | 		pipe := action.Pipe
 89 | 		ensurePipelineContains(pipe, test.ids)
 90 | 		got := pipe.String()
 91 | 		if got != test.output {
 92 | 			t.Errorf("#%d: %s, %v: want\n\t%s\ngot\n\t%s", i, text, test.ids, test.output, got)
 93 | 		}
 94 | 	}
 95 | }
 96 | 
 97 | func TestRedundantFuncs(t *testing.T) {
 98 | 	inputs := []interface{}{
 99 | 		"\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
100 | 			"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
101 | 			` !"#$%&'()*+,-./` +
102 | 			`0123456789:;<=>?` +
103 | 			`@ABCDEFGHIJKLMNO` +
104 | 			`PQRSTUVWXYZ[\]^_` +
105 | 			"`abcdefghijklmno" +
106 | 			"pqrstuvwxyz{|}~\x7f" +
107 | 			"\u00A0\u0100\u2028\u2029\ufeff\ufdec\ufffd\uffff\U0001D11E" +
108 | 			"&amp;%22\\",
109 | 		CSS(`a[href =~ "//example.com"]#foo`),
110 | 		HTML(`Hello, <b>World</b> &amp;tc!`),
111 | 		HTMLAttr(` dir="ltr"`),
112 | 		JS(`c && alert("Hello, World!");`),
113 | 		JSStr(`Hello, World & O'Reilly\x21`),
114 | 		URL(`greeting=H%69&addressee=(World)`),
115 | 	}
116 | 
117 | 	for n0, m := range redundantFuncs {
118 | 		f0 := FuncMap[n0].(func(...interface{}) string)
119 | 		for n1 := range m {
120 | 			f1 := FuncMap[n1].(func(...interface{}) string)
121 | 			for _, input := range inputs {
122 | 				want := f0(input)
123 | 				if got := f1(want); want != got {
124 | 					t.Errorf("%s %s with %T %q: want\n\t%q,\ngot\n\t%q", n0, n1, input, input, want, got)
125 | 				}
126 | 			}
127 | 		}
128 | 	}
129 | }
130 | 


--------------------------------------------------------------------------------
/v0/escape/url.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"bytes"
  9 | 	"fmt"
 10 | 	"strings"
 11 | )
 12 | 
 13 | // urlFilter returns its input unless it contains an unsafe protocol in which
 14 | // case it defangs the entire URL.
 15 | func urlFilter(args ...interface{}) string {
 16 | 	s, t := stringify(args...)
 17 | 	if t == contentTypeURL {
 18 | 		return s
 19 | 	}
 20 | 	if i := strings.IndexRune(s, ':'); i >= 0 && strings.IndexRune(s[:i], '/') < 0 {
 21 | 		protocol := strings.ToLower(s[:i])
 22 | 		if protocol != "http" && protocol != "https" && protocol != "mailto" {
 23 | 			return "#" + filterFailsafe
 24 | 		}
 25 | 	}
 26 | 	return s
 27 | }
 28 | 
 29 | // urlEscaper produces an output that can be embedded in a URL query.
 30 | // The output can be embedded in an HTML attribute without further escaping.
 31 | func urlEscaper(args ...interface{}) string {
 32 | 	return urlProcessor(false, args...)
 33 | }
 34 | 
 35 | // urlEscaper normalizes URL content so it can be embedded in a quote-delimited
 36 | // string or parenthesis delimited url(...).
 37 | // The normalizer does not encode all HTML specials. Specifically, it does not
 38 | // encode '&' so correct embedding in an HTML attribute requires escaping of
 39 | // '&' to '&amp;'.
 40 | func urlNormalizer(args ...interface{}) string {
 41 | 	return urlProcessor(true, args...)
 42 | }
 43 | 
 44 | // urlProcessor normalizes (when norm is true) or escapes its input to produce
 45 | // a valid hierarchical or opaque URL part.
 46 | func urlProcessor(norm bool, args ...interface{}) string {
 47 | 	s, t := stringify(args...)
 48 | 	if t == contentTypeURL {
 49 | 		norm = true
 50 | 	}
 51 | 	var b bytes.Buffer
 52 | 	written := 0
 53 | 	// The byte loop below assumes that all URLs use UTF-8 as the
 54 | 	// content-encoding. This is similar to the URI to IRI encoding scheme
 55 | 	// defined in section 3.1 of  RFC 3987, and behaves the same as the
 56 | 	// EcmaScript builtin encodeURIComponent.
 57 | 	// It should not cause any misencoding of URLs in pages with
 58 | 	// Content-type: text/html;charset=UTF-8.
 59 | 	for i, n := 0, len(s); i < n; i++ {
 60 | 		c := s[i]
 61 | 		switch c {
 62 | 		// Single quote and parens are sub-delims in RFC 3986, but we
 63 | 		// escape them so the output can be embedded in single
 64 | 		// quoted attributes and unquoted CSS url(...) constructs.
 65 | 		// Single quotes are reserved in URLs, but are only used in
 66 | 		// the obsolete "mark" rule in an appendix in RFC 3986
 67 | 		// so can be safely encoded.
 68 | 		case '!', '#', '$', '&', '*', '+', ',', '/', ':', ';', '=', '?', '@', '[', ']':
 69 | 			if norm {
 70 | 				continue
 71 | 			}
 72 | 		// Unreserved according to RFC 3986 sec 2.3
 73 | 		// "For consistency, percent-encoded octets in the ranges of
 74 | 		// ALPHA (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D),
 75 | 		// period (%2E), underscore (%5F), or tilde (%7E) should not be
 76 | 		// created by URI producers
 77 | 		case '-', '.', '_', '~':
 78 | 			continue
 79 | 		case '%':
 80 | 			// When normalizing do not re-encode valid escapes.
 81 | 			if norm && i+2 < len(s) && isHex(s[i+1]) && isHex(s[i+2]) {
 82 | 				continue
 83 | 			}
 84 | 		default:
 85 | 			// Unreserved according to RFC 3986 sec 2.3
 86 | 			if 'a' <= c && c <= 'z' {
 87 | 				continue
 88 | 			}
 89 | 			if 'A' <= c && c <= 'Z' {
 90 | 				continue
 91 | 			}
 92 | 			if '0' <= c && c <= '9' {
 93 | 				continue
 94 | 			}
 95 | 		}
 96 | 		b.WriteString(s[written:i])
 97 | 		fmt.Fprintf(&b, "%%%02x", c)
 98 | 		written = i + 1
 99 | 	}
100 | 	if written == 0 {
101 | 		return s
102 | 	}
103 | 	b.WriteString(s[written:])
104 | 	return b.String()
105 | }
106 | 


--------------------------------------------------------------------------------
/v0/escape/url_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package escape
  6 | 
  7 | import (
  8 | 	"testing"
  9 | )
 10 | 
 11 | func TestURLNormalizer(t *testing.T) {
 12 | 	tests := []struct {
 13 | 		url, want string
 14 | 	}{
 15 | 		{"", ""},
 16 | 		{
 17 | 			"http://example.com:80/foo/bar?q=foo%20&bar=x+y#frag",
 18 | 			"http://example.com:80/foo/bar?q=foo%20&bar=x+y#frag",
 19 | 		},
 20 | 		{" ", "%20"},
 21 | 		{"%7c", "%7c"},
 22 | 		{"%7C", "%7C"},
 23 | 		{"%2", "%252"},
 24 | 		{"%", "%25"},
 25 | 		{"%z", "%25z"},
 26 | 		{"/foo|bar/%5c\u1234", "/foo%7cbar/%5c%e1%88%b4"},
 27 | 	}
 28 | 	for _, test := range tests {
 29 | 		if got := urlNormalizer(test.url); test.want != got {
 30 | 			t.Errorf("%q: want\n\t%q\nbut got\n\t%q", test.url, test.want, got)
 31 | 		}
 32 | 		if test.want != urlNormalizer(test.want) {
 33 | 			t.Errorf("not idempotent: %q", test.want)
 34 | 		}
 35 | 	}
 36 | }
 37 | 
 38 | func TestURLFilters(t *testing.T) {
 39 | 	input := ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f" +
 40 | 		"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
 41 | 		` !"#$%&'()*+,-./` +
 42 | 		`0123456789:;<=>?` +
 43 | 		`@ABCDEFGHIJKLMNO` +
 44 | 		`PQRSTUVWXYZ[\]^_` +
 45 | 		"`abcdefghijklmno" +
 46 | 		"pqrstuvwxyz{|}~\x7f" +
 47 | 		"\u00A0\u0100\u2028\u2029\ufeff\U0001D11E")
 48 | 
 49 | 	tests := []struct {
 50 | 		name    string
 51 | 		escaper func(...interface{}) string
 52 | 		escaped string
 53 | 	}{
 54 | 		{
 55 | 			"urlEscaper",
 56 | 			urlEscaper,
 57 | 			"%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f" +
 58 | 				"%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f" +
 59 | 				"%20%21%22%23%24%25%26%27%28%29%2a%2b%2c-.%2f" +
 60 | 				"0123456789%3a%3b%3c%3d%3e%3f" +
 61 | 				"%40ABCDEFGHIJKLMNO" +
 62 | 				"PQRSTUVWXYZ%5b%5c%5d%5e_" +
 63 | 				"%60abcdefghijklmno" +
 64 | 				"pqrstuvwxyz%7b%7c%7d~%7f" +
 65 | 				"%c2%a0%c4%80%e2%80%a8%e2%80%a9%ef%bb%bf%f0%9d%84%9e",
 66 | 		},
 67 | 		{
 68 | 			"urlNormalizer",
 69 | 			urlNormalizer,
 70 | 			"%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f" +
 71 | 				"%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f" +
 72 | 				"%20!%22#$%25&%27%28%29*+,-./" +
 73 | 				"0123456789:;%3c=%3e?" +
 74 | 				"@ABCDEFGHIJKLMNO" +
 75 | 				"PQRSTUVWXYZ[%5c]%5e_" +
 76 | 				"%60abcdefghijklmno" +
 77 | 				"pqrstuvwxyz%7b%7c%7d~%7f" +
 78 | 				"%c2%a0%c4%80%e2%80%a8%e2%80%a9%ef%bb%bf%f0%9d%84%9e",
 79 | 		},
 80 | 	}
 81 | 
 82 | 	for _, test := range tests {
 83 | 		if s := test.escaper(input); s != test.escaped {
 84 | 			t.Errorf("%s: want\n\t%q\ngot\n\t%q", test.name, test.escaped, s)
 85 | 			continue
 86 | 		}
 87 | 	}
 88 | }
 89 | 
 90 | func BenchmarkURLEscaper(b *testing.B) {
 91 | 	for i := 0; i < b.N; i++ {
 92 | 		urlEscaper("http://example.com:80/foo?q=bar%20&baz=x+y#frag")
 93 | 	}
 94 | }
 95 | 
 96 | func BenchmarkURLEscaperNoSpecials(b *testing.B) {
 97 | 	for i := 0; i < b.N; i++ {
 98 | 		urlEscaper("TheQuickBrownFoxJumpsOverTheLazyDog.")
 99 | 	}
100 | }
101 | 
102 | func BenchmarkURLNormalizer(b *testing.B) {
103 | 	for i := 0; i < b.N; i++ {
104 | 		urlNormalizer("The quick brown fox jumps over the lazy dog.\n")
105 | 	}
106 | }
107 | 
108 | func BenchmarkURLNormalizerNoSpecials(b *testing.B) {
109 | 	for i := 0; i < b.N; i++ {
110 | 		urlNormalizer("http://example.com:80/foo?q=bar%20&baz=x+y#frag")
111 | 	}
112 | }
113 | 


--------------------------------------------------------------------------------
/v0/example_test.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2011 The Go Authors. All rights reserved.
 2 | // Use of this source code is governed by a BSD-style
 3 | // license that can be found in the LICENSE file.
 4 | 
 5 | package template_test
 6 | 
 7 | import (
 8 | 	"log"
 9 | 	"os"
10 | 
11 | 	"github.com/gorilla/template/v0"
12 | )
13 | 
14 | func ExampleTemplate() {
15 | 	// Define a template.
16 | 	const letter = `{{define "letter"}}
17 | Dear {{.Name}},
18 | {{if .Attended}}
19 | It was a pleasure to see you at the wedding.{{else}}
20 | It is a shame you couldn't make it to the wedding.{{end}}
21 | {{with .Gift}}Thank you for the lovely {{.}}.
22 | {{end}}
23 | Best wishes,
24 | Josie
25 | {{end}}`
26 | 
27 | 	// Prepare some data to insert into the template.
28 | 	type Recipient struct {
29 | 		Name, Gift string
30 | 		Attended   bool
31 | 	}
32 | 	var recipients = []Recipient{
33 | 		{"Aunt Mildred", "bone china tea set", true},
34 | 		{"Uncle John", "moleskin pants", false},
35 | 		{"Cousin Rodney", "", false},
36 | 	}
37 | 
38 | 	// Create a new template and parse the letter into it.
39 | 	t := template.Must(new(template.Set).Parse(letter))
40 | 
41 | 	// Execute the template for each recipient.
42 | 	for _, r := range recipients {
43 | 		err := t.Execute(os.Stdout, "letter", r)
44 | 		if err != nil {
45 | 			log.Println("executing template:", err)
46 | 		}
47 | 	}
48 | 
49 | 	// Output:
50 | 	// Dear Aunt Mildred,
51 | 	//
52 | 	// It was a pleasure to see you at the wedding.
53 | 	// Thank you for the lovely bone china tea set.
54 | 	//
55 | 	// Best wishes,
56 | 	// Josie
57 | 	//
58 | 	// Dear Uncle John,
59 | 	//
60 | 	// It is a shame you couldn't make it to the wedding.
61 | 	// Thank you for the lovely moleskin pants.
62 | 	//
63 | 	// Best wishes,
64 | 	// Josie
65 | 	//
66 | 	// Dear Cousin Rodney,
67 | 	//
68 | 	// It is a shame you couldn't make it to the wedding.
69 | 	//
70 | 	// Best wishes,
71 | 	// Josie
72 | }
73 | 


--------------------------------------------------------------------------------
/v0/examplefiles_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2012 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template_test
  6 | 
  7 | import (
  8 | 	"io"
  9 | 	"io/ioutil"
 10 | 	"log"
 11 | 	"os"
 12 | 	"path/filepath"
 13 | 	"text/template"
 14 | )
 15 | 
 16 | // templateFile defines the contents of a template to be stored in a file, for testing.
 17 | type templateFile struct {
 18 | 	name     string
 19 | 	contents string
 20 | }
 21 | 
 22 | func createTestDir(files []templateFile) string {
 23 | 	dir, err := ioutil.TempDir("", "template")
 24 | 	if err != nil {
 25 | 		log.Fatal(err)
 26 | 	}
 27 | 	for _, file := range files {
 28 | 		f, err := os.Create(filepath.Join(dir, file.name))
 29 | 		if err != nil {
 30 | 			log.Fatal(err)
 31 | 		}
 32 | 		defer f.Close()
 33 | 		_, err = io.WriteString(f, file.contents)
 34 | 		if err != nil {
 35 | 			log.Fatal(err)
 36 | 		}
 37 | 	}
 38 | 	return dir
 39 | }
 40 | 
 41 | // Here we demonstrate loading a set of templates from a directory.
 42 | func ExampleTemplate_glob() {
 43 | 	// Here we create a temporary directory and populate it with our sample
 44 | 	// template definition files; usually the template files would already
 45 | 	// exist in some location known to the program.
 46 | 	dir := createTestDir([]templateFile{
 47 | 		// T0.tmpl is a plain template file that just invokes T1.
 48 | 		{"T0.tmpl", `T0 invokes T1: ({{template "T1"}})`},
 49 | 		// T1.tmpl defines a template, T1 that invokes T2.
 50 | 		{"T1.tmpl", `{{define "T1"}}T1 invokes T2: ({{template "T2"}}){{end}}`},
 51 | 		// T2.tmpl defines a template T2.
 52 | 		{"T2.tmpl", `{{define "T2"}}This is T2{{end}}`},
 53 | 	})
 54 | 	// Clean up after the test; another quirk of running as an example.
 55 | 	defer os.RemoveAll(dir)
 56 | 
 57 | 	// pattern is the glob pattern used to find all the template files.
 58 | 	pattern := filepath.Join(dir, "*.tmpl")
 59 | 
 60 | 	// Here starts the example proper.
 61 | 	// T0.tmpl is the first name matched, so it becomes the starting template,
 62 | 	// the value returned by ParseGlob.
 63 | 	tmpl := template.Must(template.ParseGlob(pattern))
 64 | 
 65 | 	err := tmpl.Execute(os.Stdout, nil)
 66 | 	if err != nil {
 67 | 		log.Fatalf("template execution: %s", err)
 68 | 	}
 69 | 	// Output:
 70 | 	// T0 invokes T1: (T1 invokes T2: (This is T2))
 71 | }
 72 | 
 73 | // This example demonstrates one way to share some templates
 74 | // and use them in different contexts. In this variant we add multiple driver
 75 | // templates by hand to an existing bundle of templates.
 76 | func ExampleTemplate_helpers() {
 77 | 	// Here we create a temporary directory and populate it with our sample
 78 | 	// template definition files; usually the template files would already
 79 | 	// exist in some location known to the program.
 80 | 	dir := createTestDir([]templateFile{
 81 | 		// T1.tmpl defines a template, T1 that invokes T2.
 82 | 		{"T1.tmpl", `{{define "T1"}}T1 invokes T2: ({{template "T2"}}){{end}}`},
 83 | 		// T2.tmpl defines a template T2.
 84 | 		{"T2.tmpl", `{{define "T2"}}This is T2{{end}}`},
 85 | 	})
 86 | 	// Clean up after the test; another quirk of running as an example.
 87 | 	defer os.RemoveAll(dir)
 88 | 
 89 | 	// pattern is the glob pattern used to find all the template files.
 90 | 	pattern := filepath.Join(dir, "*.tmpl")
 91 | 
 92 | 	// Here starts the example proper.
 93 | 	// Load the helpers.
 94 | 	templates := template.Must(template.ParseGlob(pattern))
 95 | 	// Add one driver template to the bunch; we do this with an explicit template definition.
 96 | 	_, err := templates.Parse("{{define `driver1`}}Driver 1 calls T1: ({{template `T1`}})\n{{end}}")
 97 | 	if err != nil {
 98 | 		log.Fatal("parsing driver1: ", err)
 99 | 	}
100 | 	// Add another driver template.
101 | 	_, err = templates.Parse("{{define `driver2`}}Driver 2 calls T2: ({{template `T2`}})\n{{end}}")
102 | 	if err != nil {
103 | 		log.Fatal("parsing driver2: ", err)
104 | 	}
105 | 	// We load all the templates before execution. This package does not require
106 | 	// that behavior but html/template's escaping does, so it's a good habit.
107 | 	err = templates.ExecuteTemplate(os.Stdout, "driver1", nil)
108 | 	if err != nil {
109 | 		log.Fatalf("driver1 execution: %s", err)
110 | 	}
111 | 	err = templates.ExecuteTemplate(os.Stdout, "driver2", nil)
112 | 	if err != nil {
113 | 		log.Fatalf("driver2 execution: %s", err)
114 | 	}
115 | 	// Output:
116 | 	// Driver 1 calls T1: (T1 invokes T2: (This is T2))
117 | 	// Driver 2 calls T2: (This is T2)
118 | }
119 | 
120 | // This example demonstrates how to use one group of driver
121 | // templates with distinct sets of helper templates.
122 | func ExampleTemplate_share() {
123 | 	// Here we create a temporary directory and populate it with our sample
124 | 	// template definition files; usually the template files would already
125 | 	// exist in some location known to the program.
126 | 	dir := createTestDir([]templateFile{
127 | 		// T0.tmpl is a plain template file that just invokes T1.
128 | 		{"T0.tmpl", "T0 ({{.}} version) invokes T1: ({{template `T1`}})\n"},
129 | 		// T1.tmpl defines a template, T1 that invokes T2. Note T2 is not defined
130 | 		{"T1.tmpl", `{{define "T1"}}T1 invokes T2: ({{template "T2"}}){{end}}`},
131 | 	})
132 | 	// Clean up after the test; another quirk of running as an example.
133 | 	defer os.RemoveAll(dir)
134 | 
135 | 	// pattern is the glob pattern used to find all the template files.
136 | 	pattern := filepath.Join(dir, "*.tmpl")
137 | 
138 | 	// Here starts the example proper.
139 | 	// Load the drivers.
140 | 	drivers := template.Must(template.ParseGlob(pattern))
141 | 
142 | 	// We must define an implementation of the T2 template. First we clone
143 | 	// the drivers, then add a definition of T2 to the template name space.
144 | 
145 | 	// 1. Clone the helper set to create a new name space from which to run them.
146 | 	first, err := drivers.Clone()
147 | 	if err != nil {
148 | 		log.Fatal("cloning helpers: ", err)
149 | 	}
150 | 	// 2. Define T2, version A, and parse it.
151 | 	_, err = first.Parse("{{define `T2`}}T2, version A{{end}}")
152 | 	if err != nil {
153 | 		log.Fatal("parsing T2: ", err)
154 | 	}
155 | 
156 | 	// Now repeat the whole thing, using a different version of T2.
157 | 	// 1. Clone the drivers.
158 | 	second, err := drivers.Clone()
159 | 	if err != nil {
160 | 		log.Fatal("cloning drivers: ", err)
161 | 	}
162 | 	// 2. Define T2, version B, and parse it.
163 | 	_, err = second.Parse("{{define `T2`}}T2, version B{{end}}")
164 | 	if err != nil {
165 | 		log.Fatal("parsing T2: ", err)
166 | 	}
167 | 
168 | 	// Execute the templates in the reverse order to verify the
169 | 	// first is unaffected by the second.
170 | 	err = second.ExecuteTemplate(os.Stdout, "T0.tmpl", "second")
171 | 	if err != nil {
172 | 		log.Fatalf("second execution: %s", err)
173 | 	}
174 | 	err = first.ExecuteTemplate(os.Stdout, "T0.tmpl", "first")
175 | 	if err != nil {
176 | 		log.Fatalf("first: execution: %s", err)
177 | 	}
178 | 
179 | 	// Output:
180 | 	// T0 (second version) invokes T1: (T1 invokes T2: (T2, version B))
181 | 	// T0 (first version) invokes T1: (T1 invokes T2: (T2, version A))
182 | }
183 | 


--------------------------------------------------------------------------------
/v0/examplefunc_test.go:
--------------------------------------------------------------------------------
 1 | // Copyright 2012 The Go Authors. All rights reserved.
 2 | // Use of this source code is governed by a BSD-style
 3 | // license that can be found in the LICENSE file.
 4 | 
 5 | package template_test
 6 | 
 7 | import (
 8 | 	"log"
 9 | 	"os"
10 | 	"strings"
11 | 	"text/template"
12 | )
13 | 
14 | // This example demonstrates a custom function to process template text.
15 | // It installs the strings.Title function and uses it to
16 | // Make Title Text Look Good In Our Template's Output.
17 | func ExampleTemplate_func() {
18 | 	// First we create a FuncMap with which to register the function.
19 | 	funcMap := template.FuncMap{
20 | 		// The name "title" is what the function will be called in the template text.
21 | 		"title": strings.Title,
22 | 	}
23 | 
24 | 	// A simple template definition to test our function.
25 | 	// We print the input text several ways:
26 | 	// - the original
27 | 	// - title-cased
28 | 	// - title-cased and then printed with %q
29 | 	// - printed with %q and then title-cased.
30 | 	const templateText = `
31 | Input: {{printf "%q" .}}
32 | Output 0: {{title .}}
33 | Output 1: {{title . | printf "%q"}}
34 | Output 2: {{printf "%q" . | title}}
35 | `
36 | 
37 | 	// Create a template, add the function map, and parse the text.
38 | 	tmpl, err := template.New("titleTest").Funcs(funcMap).Parse(templateText)
39 | 	if err != nil {
40 | 		log.Fatalf("parsing: %s", err)
41 | 	}
42 | 
43 | 	// Run the template to verify the output.
44 | 	err = tmpl.Execute(os.Stdout, "the go programming language")
45 | 	if err != nil {
46 | 		log.Fatalf("execution: %s", err)
47 | 	}
48 | 
49 | 	// Output:
50 | 	// Input: "the go programming language"
51 | 	// Output 0: The Go Programming Language
52 | 	// Output 1: "The Go Programming Language"
53 | 	// Output 2: "The Go Programming Language"
54 | }
55 | 


--------------------------------------------------------------------------------
/v0/funcs.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"reflect"
 10 | 
 11 | 	"github.com/gorilla/template/v0/escape"
 12 | )
 13 | 
 14 | // FuncMap is the type of the map defining the mapping from names to functions.
 15 | // Each function must have either a single return value, or two return values of
 16 | // which the second has type error. In that case, if the second (error)
 17 | // argument evaluates to non-nil during execution, execution terminates and
 18 | // Execute returns that error.
 19 | type FuncMap map[string]interface{}
 20 | 
 21 | var builtins = FuncMap{
 22 | 	"and":      and,
 23 | 	"call":     call,
 24 | 	"html":     escape.HTMLEscaper,
 25 | 	"index":    index,
 26 | 	"js":       escape.JSEscaper,
 27 | 	"len":      length,
 28 | 	"not":      not,
 29 | 	"or":       or,
 30 | 	"print":    fmt.Sprint,
 31 | 	"printf":   fmt.Sprintf,
 32 | 	"println":  fmt.Sprintln,
 33 | 	"urlquery": escape.URLQueryEscaper,
 34 | }
 35 | 
 36 | var builtinFuncs = createValueFuncs(builtins)
 37 | 
 38 | // createValueFuncs turns a FuncMap into a map[string]reflect.Value
 39 | func createValueFuncs(funcMap FuncMap) map[string]reflect.Value {
 40 | 	m := make(map[string]reflect.Value)
 41 | 	addValueFuncs(m, funcMap)
 42 | 	return m
 43 | }
 44 | 
 45 | // addValueFuncs adds to values the functions in funcs, converting them to reflect.Values.
 46 | func addValueFuncs(out map[string]reflect.Value, in FuncMap) {
 47 | 	for name, fn := range in {
 48 | 		v := reflect.ValueOf(fn)
 49 | 		if v.Kind() != reflect.Func {
 50 | 			panic("value for " + name + " not a function")
 51 | 		}
 52 | 		if !goodFunc(v.Type()) {
 53 | 			panic(fmt.Errorf("can't install method/function %q with %d results", name, v.Type().NumOut()))
 54 | 		}
 55 | 		out[name] = v
 56 | 	}
 57 | }
 58 | 
 59 | // addFuncs adds to values the functions in funcs. It does no checking of the input -
 60 | // call addValueFuncs first.
 61 | func addFuncs(out, in FuncMap) {
 62 | 	for name, fn := range in {
 63 | 		out[name] = fn
 64 | 	}
 65 | }
 66 | 
 67 | // goodFunc checks that the function or method has the right result signature.
 68 | func goodFunc(typ reflect.Type) bool {
 69 | 	// We allow functions with 1 result or 2 results where the second is an error.
 70 | 	switch {
 71 | 	case typ.NumOut() == 1:
 72 | 		return true
 73 | 	case typ.NumOut() == 2 && typ.Out(1) == errorType:
 74 | 		return true
 75 | 	}
 76 | 	return false
 77 | }
 78 | 
 79 | // findFunction looks for a function in the template, and global map.
 80 | func findFunction(name string, set *Set) (reflect.Value, bool) {
 81 | 	if set != nil {
 82 | 		if fn := set.execFuncs[name]; fn.IsValid() {
 83 | 			return fn, true
 84 | 		}
 85 | 	}
 86 | 	if fn := builtinFuncs[name]; fn.IsValid() {
 87 | 		return fn, true
 88 | 	}
 89 | 	return reflect.Value{}, false
 90 | }
 91 | 
 92 | // Indexing.
 93 | 
 94 | // index returns the result of indexing its first argument by the following
 95 | // arguments.  Thus "index x 1 2 3" is, in Go syntax, x[1][2][3]. Each
 96 | // indexed item must be a map, slice, or array.
 97 | func index(item interface{}, indices ...interface{}) (interface{}, error) {
 98 | 	v := reflect.ValueOf(item)
 99 | 	for _, i := range indices {
100 | 		index := reflect.ValueOf(i)
101 | 		var isNil bool
102 | 		if v, isNil = indirect(v); isNil {
103 | 			return nil, fmt.Errorf("index of nil pointer")
104 | 		}
105 | 		switch v.Kind() {
106 | 		case reflect.Array, reflect.Slice, reflect.String:
107 | 			var x int64
108 | 			switch index.Kind() {
109 | 			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
110 | 				x = index.Int()
111 | 			case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
112 | 				x = int64(index.Uint())
113 | 			default:
114 | 				return nil, fmt.Errorf("cannot index slice/array with type %s", index.Type())
115 | 			}
116 | 			if x < 0 || x >= int64(v.Len()) {
117 | 				return nil, fmt.Errorf("index out of range: %d", x)
118 | 			}
119 | 			v = v.Index(int(x))
120 | 		case reflect.Map:
121 | 			if !index.IsValid() {
122 | 				index = reflect.Zero(v.Type().Key())
123 | 			}
124 | 			if !index.Type().AssignableTo(v.Type().Key()) {
125 | 				return nil, fmt.Errorf("%s is not index type for %s", index.Type(), v.Type())
126 | 			}
127 | 			if x := v.MapIndex(index); x.IsValid() {
128 | 				v = x
129 | 			} else {
130 | 				v = reflect.Zero(v.Type().Elem())
131 | 			}
132 | 		default:
133 | 			return nil, fmt.Errorf("can't index item of type %s", v.Type())
134 | 		}
135 | 	}
136 | 	return v.Interface(), nil
137 | }
138 | 
139 | // Length
140 | 
141 | // length returns the length of the item, with an error if it has no defined length.
142 | func length(item interface{}) (int, error) {
143 | 	v, isNil := indirect(reflect.ValueOf(item))
144 | 	if isNil {
145 | 		return 0, fmt.Errorf("len of nil pointer")
146 | 	}
147 | 	switch v.Kind() {
148 | 	case reflect.Array, reflect.Chan, reflect.Map, reflect.Slice, reflect.String:
149 | 		return v.Len(), nil
150 | 	}
151 | 	return 0, fmt.Errorf("len of type %s", v.Type())
152 | }
153 | 
154 | // Function invocation
155 | 
156 | // call returns the result of evaluating the first argument as a function.
157 | // The function must return 1 result, or 2 results, the second of which is an error.
158 | func call(fn interface{}, args ...interface{}) (interface{}, error) {
159 | 	v := reflect.ValueOf(fn)
160 | 	typ := v.Type()
161 | 	if typ.Kind() != reflect.Func {
162 | 		return nil, fmt.Errorf("non-function of type %s", typ)
163 | 	}
164 | 	if !goodFunc(typ) {
165 | 		return nil, fmt.Errorf("function called with %d args; should be 1 or 2", typ.NumOut())
166 | 	}
167 | 	numIn := typ.NumIn()
168 | 	var dddType reflect.Type
169 | 	if typ.IsVariadic() {
170 | 		if len(args) < numIn-1 {
171 | 			return nil, fmt.Errorf("wrong number of args: got %d want at least %d", len(args), numIn-1)
172 | 		}
173 | 		dddType = typ.In(numIn - 1).Elem()
174 | 	} else {
175 | 		if len(args) != numIn {
176 | 			return nil, fmt.Errorf("wrong number of args: got %d want %d", len(args), numIn)
177 | 		}
178 | 	}
179 | 	argv := make([]reflect.Value, len(args))
180 | 	for i, arg := range args {
181 | 		value := reflect.ValueOf(arg)
182 | 		// Compute the expected type. Clumsy because of variadics.
183 | 		var argType reflect.Type
184 | 		if !typ.IsVariadic() || i < numIn-1 {
185 | 			argType = typ.In(i)
186 | 		} else {
187 | 			argType = dddType
188 | 		}
189 | 		if !value.IsValid() && canBeNil(argType) {
190 | 			value = reflect.Zero(argType)
191 | 		}
192 | 		if !value.Type().AssignableTo(argType) {
193 | 			return nil, fmt.Errorf("arg %d has type %s; should be %s", i, value.Type(), argType)
194 | 		}
195 | 		argv[i] = value
196 | 	}
197 | 	result := v.Call(argv)
198 | 	if len(result) == 2 {
199 | 		return result[0].Interface(), result[1].Interface().(error)
200 | 	}
201 | 	return result[0].Interface(), nil
202 | }
203 | 
204 | // Boolean logic.
205 | 
206 | func truth(a interface{}) bool {
207 | 	t, _ := isTrue(reflect.ValueOf(a))
208 | 	return t
209 | }
210 | 
211 | // and computes the Boolean AND of its arguments, returning
212 | // the first false argument it encounters, or the last argument.
213 | func and(arg0 interface{}, args ...interface{}) interface{} {
214 | 	if !truth(arg0) {
215 | 		return arg0
216 | 	}
217 | 	for i := range args {
218 | 		arg0 = args[i]
219 | 		if !truth(arg0) {
220 | 			break
221 | 		}
222 | 	}
223 | 	return arg0
224 | }
225 | 
226 | // or computes the Boolean OR of its arguments, returning
227 | // the first true argument it encounters, or the last argument.
228 | func or(arg0 interface{}, args ...interface{}) interface{} {
229 | 	if truth(arg0) {
230 | 		return arg0
231 | 	}
232 | 	for i := range args {
233 | 		arg0 = args[i]
234 | 		if truth(arg0) {
235 | 			break
236 | 		}
237 | 	}
238 | 	return arg0
239 | }
240 | 
241 | // not returns the Boolean negation of its argument.
242 | func not(arg interface{}) (truth bool) {
243 | 	truth, _ = isTrue(reflect.ValueOf(arg))
244 | 	return !truth
245 | }
246 | 


--------------------------------------------------------------------------------
/v0/inline.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 
 10 | 	"github.com/gorilla/template/v0/parse"
 11 | )
 12 | 
 13 | // parentList returns the list of parent templates for a given template name.
 14 | // It returns an error if a template is not found or recursive dependency
 15 | // is detected.
 16 | func parentList(tree parse.Tree, name string) (deps []string, err error) {
 17 | 	for {
 18 | 		define := tree[name]
 19 | 		if define == nil {
 20 | 			return nil, fmt.Errorf("template: template not found: %q", name)
 21 | 		}
 22 | 		for _, v := range deps {
 23 | 			if v == name {
 24 | 				deps = append(deps, name)
 25 | 				return nil, fmt.Errorf("template: impossible recursion: %#v",
 26 | 					deps)
 27 | 			}
 28 | 		}
 29 | 		deps = append(deps, name)
 30 | 		name = define.Parent
 31 | 		if name == "" {
 32 | 			break
 33 | 		}
 34 | 	}
 35 | 	return
 36 | }
 37 | 
 38 | // compilationOrder returns the order in which templates must be compiled in a
 39 | // set. Parents are compiled only after all their dependents were compiled.
 40 | func compilationOrder(tree parse.Tree) ([]string, error) {
 41 | 	var deps [][]string
 42 | 	for name, _ := range tree {
 43 | 		p, err := parentList(tree, name)
 44 | 		if err != nil {
 45 | 			return nil, err
 46 | 		}
 47 | 		deps = append(deps, p)
 48 | 	}
 49 | 	order := make([]string, len(deps))
 50 | 	for len(deps) > 0 {
 51 | 		i := 0
 52 | 		for i < len(deps) {
 53 | 			if len(deps[i]) == 1 {
 54 | 				name := deps[i][0]
 55 | 				order[len(deps)-1] = name
 56 | 				deps = append(deps[:i], deps[i+1:]...)
 57 | 				for k, v := range deps {
 58 | 					var s []string
 59 | 					for _, v2 := range v {
 60 | 						if v2 != name {
 61 | 							s = append(s, v2)
 62 | 						}
 63 | 					}
 64 | 					deps[k] = s
 65 | 				}
 66 | 			} else {
 67 | 				i++
 68 | 			}
 69 | 		}
 70 | 	}
 71 | 	return order, nil
 72 | }
 73 | 
 74 | // inlineTree expands all {{define}} actions from a tree.
 75 | func inlineTree(tree parse.Tree) error {
 76 | 	order, err := compilationOrder(tree)
 77 | 	if err != nil {
 78 | 		return err
 79 | 	}
 80 | 	for _, name := range order {
 81 | 		if err := inlineDefine(tree, name); err != nil {
 82 | 			return err
 83 | 		}
 84 | 	}
 85 | 	return nil
 86 | }
 87 | 
 88 | // inlineDefine expands a simple or extended {{define}} action.
 89 | func inlineDefine(tree parse.Tree, name string) error {
 90 | 	define := tree[name]
 91 | 	parent := tree[define.Parent]
 92 | 	if define.Parent == "" {
 93 | 		// Expand {{slot}}, remove {{fill}}.
 94 | 		cleanupSlot(tree[name].List)
 95 | 		return nil
 96 | 	} else if parent == nil {
 97 | 		return fmt.Errorf("template: define extends undefined parent %q",
 98 | 			define.Parent)
 99 | 	}
100 | 	// Get all FillNode's from current define.
101 | 	fillers := map[string]*parse.FillNode{}
102 | 	unused := map[string]bool{}
103 | 	for _, n := range define.List.Nodes {
104 | 		if f, ok := n.(*parse.FillNode); ok {
105 | 			fillers[f.Name] = f
106 | 			unused[f.Name] = true
107 | 		}
108 | 	}
109 | 	// Update nodes and parent.
110 | 	// TODO: must review debugging system because updating like this will
111 | 	// report wrong positions and context.
112 | 	define.List = parent.List.CopyList()
113 | 	define.Parent = parent.Parent
114 | 	// Replace FillNode's and SlotNode's from parent.
115 | 	applyFillers(define.List, fillers, unused)
116 | 	// Add extra fillers.
117 | 	for k, v := range unused {
118 | 		if v {
119 | 			define.List.Nodes = append(define.List.Nodes, fillers[k].CopyFill())
120 | 		}
121 | 	}
122 | 	// Do it again until parent is empty.
123 | 	return inlineDefine(tree, name)
124 | }
125 | 
126 | // applyFillers replaces slot and fill nodes by their filler counterparts.
127 | func applyFillers(n parse.Node, fillers map[string]*parse.FillNode, unused map[string]bool) {
128 | 	switch n := n.(type) {
129 | 	case *parse.IfNode:
130 | 		applyFillers(n.List, fillers, unused)
131 | 		applyFillers(n.ElseList, fillers, unused)
132 | 	case *parse.ListNode:
133 | 		if n == nil {
134 | 			return
135 | 		}
136 | 		for k, v := range n.Nodes {
137 | 			switch v := v.(type) {
138 | 			case *parse.SlotNode:
139 | 				// Replace the slot by the list of nodes from the filler.
140 | 				if filler := fillers[v.Name]; filler != nil {
141 | 					n.Nodes[k] = filler.List.CopyList()
142 | 				}
143 | 			case *parse.FillNode:
144 | 				// Replace the fill by the new filler.
145 | 				if filler := fillers[v.Name]; filler != nil {
146 | 					n.Nodes[k] = filler.CopyFill()
147 | 					unused[v.Name] = false
148 | 				}
149 | 			default:
150 | 				applyFillers(v, fillers, unused)
151 | 			}
152 | 		}
153 | 	case *parse.RangeNode:
154 | 		applyFillers(n.List, fillers, unused)
155 | 		applyFillers(n.ElseList, fillers, unused)
156 | 	case *parse.WithNode:
157 | 		applyFillers(n.List, fillers, unused)
158 | 		applyFillers(n.ElseList, fillers, unused)
159 | 	}
160 | }
161 | 
162 | // cleanupSlot removes slot and fill nodes.
163 | //
164 | // May contain child actions:
165 | // SlotNode:  n.List
166 | // DefineNode: n.List
167 | // FillNode:   n.List
168 | // IfNode:     n.List, n.ElseList
169 | // ListNode:   n.Nodes
170 | // RangeNode:  n.List, n.ElseList
171 | // WithNode:   n.List, n.ElseList
172 | func cleanupSlot(n parse.Node) {
173 | 	switch n := n.(type) {
174 | 	case *parse.IfNode:
175 | 		cleanupSlot(n.List)
176 | 		cleanupSlot(n.ElseList)
177 | 	case *parse.ListNode:
178 | 		if n == nil {
179 | 			return
180 | 		}
181 | 		k := 0
182 | 		for k < len(n.Nodes) {
183 | 			v := n.Nodes[k]
184 | 			switch v := v.(type) {
185 | 			case *parse.SlotNode:
186 | 				// Replace the slot by its list of nodes.
187 | 				n.Nodes[k] = v.List
188 | 				continue
189 | 			case *parse.FillNode:
190 | 				// Remove the filler.
191 | 				n.Nodes = append(n.Nodes[:k], n.Nodes[k+1:]...)
192 | 				continue
193 | 			default:
194 | 				cleanupSlot(v)
195 | 			}
196 | 			k++
197 | 		}
198 | 	case *parse.RangeNode:
199 | 		cleanupSlot(n.List)
200 | 		cleanupSlot(n.ElseList)
201 | 	case *parse.WithNode:
202 | 		cleanupSlot(n.List)
203 | 		cleanupSlot(n.ElseList)
204 | 	}
205 | }
206 | 


--------------------------------------------------------------------------------
/v0/multi_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | // Tests for mulitple-template parsing and execution.
  8 | 
  9 | import (
 10 | 	"bytes"
 11 | 	"fmt"
 12 | 	"strings"
 13 | 	"testing"
 14 | 
 15 | 	"github.com/gorilla/template/v0/parse"
 16 | )
 17 | 
 18 | const (
 19 | 	noError  = true
 20 | 	hasError = false
 21 | )
 22 | 
 23 | type multiParseTest struct {
 24 | 	name    string
 25 | 	input   string
 26 | 	ok      bool
 27 | 	names   []string
 28 | 	results []string
 29 | }
 30 | 
 31 | var multiParseTests = []multiParseTest{
 32 | 	{"empty", "", noError,
 33 | 		nil,
 34 | 		nil},
 35 | 	{"one", `{{define "foo"}} FOO {{end}}`, noError,
 36 | 		[]string{"foo"},
 37 | 		[]string{`{{define "foo"}} FOO {{end}}`}},
 38 | 	{"two", `{{define "foo"}} FOO {{end}}{{define "bar"}} BAR {{end}}`, noError,
 39 | 		[]string{"foo", "bar"},
 40 | 		[]string{`{{define "foo"}} FOO {{end}}`, `{{define "bar"}} BAR {{end}}`}},
 41 | 	// errors
 42 | 	{"missing end", `{{define "foo"}} FOO `, hasError,
 43 | 		nil,
 44 | 		nil},
 45 | 	{"malformed name", `{{define "foo}} FOO `, hasError,
 46 | 		nil,
 47 | 		nil},
 48 | }
 49 | 
 50 | func TestMultiParse(t *testing.T) {
 51 | 	for _, test := range multiParseTests {
 52 | 		template, err := new(Set).Parse(test.input)
 53 | 		switch {
 54 | 		case err == nil && !test.ok:
 55 | 			t.Errorf("%q: expected error; got none", test.name)
 56 | 			continue
 57 | 		case err != nil && test.ok:
 58 | 			t.Errorf("%q: unexpected error: %v", test.name, err)
 59 | 			continue
 60 | 		case err != nil && !test.ok:
 61 | 			// expected error, got one
 62 | 			if *debug {
 63 | 				fmt.Printf("%s: %s\n\t%s\n", test.name, test.input, err)
 64 | 			}
 65 | 			continue
 66 | 		}
 67 | 		if template == nil {
 68 | 			continue
 69 | 		}
 70 | 		if len(template.tree) != len(test.names) {
 71 | 			t.Errorf("%s: wrong number of templates; wanted %d got %d", test.name, len(test.names), len(template.tree))
 72 | 			continue
 73 | 		}
 74 | 		for i, name := range test.names {
 75 | 			tmpl, ok := template.tree[name]
 76 | 			if !ok {
 77 | 				t.Errorf("%s: can't find template %q", test.name, name)
 78 | 				continue
 79 | 			}
 80 | 			result := tmpl.String()
 81 | 			if result != test.results[i] {
 82 | 				t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.results[i])
 83 | 			}
 84 | 		}
 85 | 	}
 86 | }
 87 | 
 88 | var multiExecTests = []execTest{
 89 | 	{"empty", "", "", nil, true},
 90 | 	{"text", "some text", "some text", nil, true},
 91 | 	{"invoke x", `{{template "x" .SI}}`, "TEXT", tVal, true},
 92 | 	{"invoke x no args", `{{template "x"}}`, "TEXT", tVal, true},
 93 | 	{"invoke dot int", `{{template "dot" .I}}`, "17", tVal, true},
 94 | 	{"invoke dot []int", `{{template "dot" .SI}}`, "[3 4 5]", tVal, true},
 95 | 	{"invoke dotV", `{{template "dotV" .U}}`, "v", tVal, true},
 96 | 	{"invoke nested int", `{{template "nested" .I}}`, "17", tVal, true},
 97 | 	{"variable declared by template", `{{template "nested" $x:=.SI}},{{index $x 1}}`, "[3 4 5],4", tVal, true},
 98 | 
 99 | 	// User-defined function: test argument evaluator.
100 | 	{"testFunc literal", `{{oneArg "joe"}}`, "oneArg=joe", tVal, true},
101 | 	{"testFunc .", `{{oneArg .}}`, "oneArg=joe", "joe", true},
102 | }
103 | 
104 | // These strings are also in testdata/*.
105 | const multiText1 = `
106 | 	{{define "x"}}TEXT{{end}}
107 | 	{{define "dotV"}}{{.V}}{{end}}
108 | `
109 | 
110 | const multiText2 = `
111 | 	{{define "dot"}}{{.}}{{end}}
112 | 	{{define "nested"}}{{template "dot" .}}{{end}}
113 | `
114 | 
115 | func TestMultiExecute(t *testing.T) {
116 | 	// Declare a couple of templates first.
117 | 	set, err := new(Set).Parse(multiText1)
118 | 	if err != nil {
119 | 		t.Fatalf("parse error for 1: %s", err)
120 | 	}
121 | 	_, err = set.Parse(multiText2)
122 | 	if err != nil {
123 | 		t.Fatalf("parse error for 2: %s", err)
124 | 	}
125 | 	testExecute(multiExecTests, set, t)
126 | }
127 | 
128 | func TestParseFiles(t *testing.T) {
129 | 	_, err := new(Set).ParseFiles("DOES NOT EXIST")
130 | 	if err == nil {
131 | 		t.Error("expected error for non-existent file; got none")
132 | 	}
133 | 	template := new(Set)
134 | 	_, err = template.ParseFiles("testdata/file1.tmpl", "testdata/file2.tmpl")
135 | 	if err != nil {
136 | 		t.Fatalf("error parsing files: %v", err)
137 | 	}
138 | 	testExecute(multiExecTests, template, t)
139 | }
140 | 
141 | func TestParseGlob(t *testing.T) {
142 | 	_, err := new(Set).ParseGlob("DOES NOT EXIST")
143 | 	if err == nil {
144 | 		t.Error("expected error for non-existent file; got none")
145 | 	}
146 | 	_, err = new(Set).ParseGlob("[x")
147 | 	if err == nil {
148 | 		t.Error("expected error for bad pattern; got none")
149 | 	}
150 | 	template := new(Set)
151 | 	_, err = template.ParseGlob("testdata/file*.tmpl")
152 | 	if err != nil {
153 | 		t.Fatalf("error parsing files: %v", err)
154 | 	}
155 | 	testExecute(multiExecTests, template, t)
156 | }
157 | 
158 | // In these tests, actual content (not just template definitions) comes from the parsed files.
159 | 
160 | var templateFileExecTests = []execTest{
161 | 	{"test", `{{define "test"}}{{template "template1"}}{{template "template2"}}{{end}}`, "\ntemplate1\ny\n\ntemplate2\nx\n", 0, true},
162 | }
163 | 
164 | func TestParseFilesWithData(t *testing.T) {
165 | 	template, err := new(Set).ParseFiles("testdata/tmpl1.tmpl", "testdata/tmpl2.tmpl")
166 | 	if err != nil {
167 | 		t.Fatalf("error parsing files: %v", err)
168 | 	}
169 | 	testExecute(templateFileExecTests, template, t)
170 | }
171 | 
172 | func TestParseGlobWithData(t *testing.T) {
173 | 	template, err := new(Set).ParseGlob("testdata/tmpl*.tmpl")
174 | 	if err != nil {
175 | 		t.Fatalf("error parsing files: %v", err)
176 | 	}
177 | 	testExecute(templateFileExecTests, template, t)
178 | }
179 | 
180 | const (
181 | 	cloneText1 = `{{define "a"}}{{template "b"}}{{template "c"}}{{end}}`
182 | 	cloneText2 = `{{define "b"}}b{{end}}`
183 | 	cloneText3 = `{{define "c"}}root{{end}}`
184 | 	cloneText4 = `{{define "c"}}clone{{end}}`
185 | )
186 | 
187 | func TestClone(t *testing.T) {
188 | 	// Create some templates and clone the root.
189 | 	root, err := new(Set).Parse(cloneText1)
190 | 	if err != nil {
191 | 		t.Fatal(err)
192 | 	}
193 | 	_, err = root.Parse(cloneText2)
194 | 	if err != nil {
195 | 		t.Fatal(err)
196 | 	}
197 | 	clone := Must(root.Clone())
198 | 	// Add variants to both.
199 | 	_, err = root.Parse(cloneText3)
200 | 	if err != nil {
201 | 		t.Fatal(err)
202 | 	}
203 | 	_, err = clone.Parse(cloneText4)
204 | 	if err != nil {
205 | 		t.Fatal(err)
206 | 	}
207 | 	// Execute root.
208 | 	var b bytes.Buffer
209 | 	err = root.Execute(&b, "a", 0)
210 | 	if err != nil {
211 | 		t.Fatal(err)
212 | 	}
213 | 	if b.String() != "broot" {
214 | 		t.Errorf("expected %q got %q", "broot", b.String())
215 | 	}
216 | 	// Execute copy.
217 | 	b.Reset()
218 | 	err = clone.Execute(&b, "a", 0)
219 | 	if err != nil {
220 | 		t.Fatal(err)
221 | 	}
222 | 	if b.String() != "bclone" {
223 | 		t.Errorf("expected %q got %q", "bclone", b.String())
224 | 	}
225 | }
226 | 
227 | func TestAddParseTree(t *testing.T) {
228 | 	// Create some templates.
229 | 	root, err := new(Set).Parse(cloneText1)
230 | 	if err != nil {
231 | 		t.Fatal(err)
232 | 	}
233 | 	_, err = root.Parse(cloneText2)
234 | 	if err != nil {
235 | 		t.Fatal(err)
236 | 	}
237 | 	// Add a new parse tree.
238 | 	tree, err := parse.Parse("cloneText3", cloneText3, "", "", nil, builtins)
239 | 	if err != nil {
240 | 		t.Fatal(err)
241 | 	}
242 | 	err = root.tree.Add(tree["c"])
243 | 	if err != nil {
244 | 		t.Fatal(err)
245 | 	}
246 | 	// Execute.
247 | 	var b bytes.Buffer
248 | 	err = root.Execute(&b, "a", 0)
249 | 	if err != nil {
250 | 		t.Fatal(err)
251 | 	}
252 | 	if b.String() != "broot" {
253 | 		t.Errorf("expected %q got %q", "broot", b.String())
254 | 	}
255 | }
256 | 
257 | func TestRedefinition(t *testing.T) {
258 | 	var tmpl *Set
259 | 	var err error
260 | 	if tmpl, err = new(Set).Parse(`{{define "test"}}foo{{end}}`); err != nil {
261 | 		t.Fatalf("parse 1: %v", err)
262 | 	}
263 | 	if _, err = tmpl.Parse(`{{define "test"}}bar{{end}}`); err == nil {
264 | 		t.Fatal("expected error")
265 | 	}
266 | 	if !strings.Contains(err.Error(), "duplicated template name") {
267 | 		t.Fatalf("expected redefinition error; got %v", err)
268 | 	}
269 | 	if _, err = tmpl.Parse(`{{define "test"}}bar{{end}}`); err == nil {
270 | 		t.Fatal("expected error")
271 | 	}
272 | 	if !strings.Contains(err.Error(), "duplicated template name") {
273 | 		t.Fatalf("expected redefinition error; got %v", err)
274 | 	}
275 | }
276 | 


--------------------------------------------------------------------------------
/v0/parse/lex.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package parse
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"strings"
 10 | 	"unicode"
 11 | 	"unicode/utf8"
 12 | )
 13 | 
 14 | // item represents a token or text string returned from the scanner.
 15 | type item struct {
 16 | 	typ itemType // The type of this item.
 17 | 	pos Pos      // The starting position, in bytes, of this item in the input string.
 18 | 	val string   // The value of this item.
 19 | }
 20 | 
 21 | func (i item) String() string {
 22 | 	switch {
 23 | 	case i.typ == itemEOF:
 24 | 		return "EOF"
 25 | 	case i.typ == itemError:
 26 | 		return i.val
 27 | 	case i.typ > itemKeyword:
 28 | 		return fmt.Sprintf("<%s>", i.val)
 29 | 	case len(i.val) > 10:
 30 | 		return fmt.Sprintf("%.10q...", i.val)
 31 | 	}
 32 | 	return fmt.Sprintf("%q", i.val)
 33 | }
 34 | 
 35 | // itemType identifies the type of lex items.
 36 | type itemType int
 37 | 
 38 | const (
 39 | 	itemError        itemType = iota // error occurred; value is text of error
 40 | 	itemBool                         // boolean constant
 41 | 	itemChar                         // printable ASCII character; grab bag for comma etc.
 42 | 	itemCharConstant                 // character constant
 43 | 	itemComplex                      // complex constant (1+2i); imaginary is just a number
 44 | 	itemColonEquals                  // colon-equals (':=') introducing a declaration
 45 | 	itemEOF
 46 | 	itemField      // alphanumeric identifier starting with '.'
 47 | 	itemIdentifier // alphanumeric identifier not starting with '.'
 48 | 	itemLeftDelim  // left action delimiter
 49 | 	itemLeftParen  // '(' inside action
 50 | 	itemNumber     // simple number, including imaginary
 51 | 	itemPipe       // pipe symbol
 52 | 	itemRawString  // raw quoted string (includes quotes)
 53 | 	itemRightDelim // right action delimiter
 54 | 	itemRightParen // ')' inside action
 55 | 	itemSpace      // run of spaces separating arguments
 56 | 	itemString     // quoted string (includes quotes)
 57 | 	itemText       // plain text
 58 | 	itemVariable   // variable starting with '$', such as '$' or  '$1' or '$hello'
 59 | 	// Keywords appear after all the rest.
 60 | 	itemKeyword  // used only to delimit the keywords
 61 | 	itemDot      // the cursor, spelled '.'
 62 | 	itemDefine   // define keyword
 63 | 	itemElse     // else keyword
 64 | 	itemEnd      // end keyword
 65 | 	itemIf       // if keyword
 66 | 	itemNil      // the untyped nil constant, easiest to treat as a keyword
 67 | 	itemRange    // range keyword
 68 | 	itemTemplate // template keyword
 69 | 	itemWith     // with keyword
 70 | 	itemSlot     // slot keyword
 71 | 	itemFill     // fill keyword
 72 | )
 73 | 
 74 | var key = map[string]itemType{
 75 | 	".":        itemDot,
 76 | 	"define":   itemDefine,
 77 | 	"else":     itemElse,
 78 | 	"end":      itemEnd,
 79 | 	"if":       itemIf,
 80 | 	"range":    itemRange,
 81 | 	"nil":      itemNil,
 82 | 	"template": itemTemplate,
 83 | 	"with":     itemWith,
 84 | 	"slot":     itemSlot,
 85 | 	"fill":     itemFill,
 86 | }
 87 | 
 88 | const eof = -1
 89 | 
 90 | // stateFn represents the state of the scanner as a function that returns the next state.
 91 | type stateFn func(*lexer) stateFn
 92 | 
 93 | // lexer holds the state of the scanner.
 94 | type lexer struct {
 95 | 	name       string    // the name of the input; used only for error reports
 96 | 	input      string    // the string being scanned
 97 | 	leftDelim  string    // start of action
 98 | 	rightDelim string    // end of action
 99 | 	state      stateFn   // the next lexing function to enter
100 | 	pos        Pos       // current position in the input
101 | 	start      Pos       // start position of this item
102 | 	width      Pos       // width of last rune read from input
103 | 	lastPos    Pos       // position of most recent item returned by nextItem
104 | 	items      chan item // channel of scanned items
105 | 	parenDepth int       // nesting depth of ( ) exprs
106 | }
107 | 
108 | // next returns the next rune in the input.
109 | func (l *lexer) next() rune {
110 | 	if int(l.pos) >= len(l.input) {
111 | 		l.width = 0
112 | 		return eof
113 | 	}
114 | 	r, w := utf8.DecodeRuneInString(l.input[l.pos:])
115 | 	l.width = Pos(w)
116 | 	l.pos += l.width
117 | 	return r
118 | }
119 | 
120 | // peek returns but does not consume the next rune in the input.
121 | func (l *lexer) peek() rune {
122 | 	r := l.next()
123 | 	l.backup()
124 | 	return r
125 | }
126 | 
127 | // backup steps back one rune. Can only be called once per call of next.
128 | func (l *lexer) backup() {
129 | 	l.pos -= l.width
130 | }
131 | 
132 | // emit passes an item back to the client.
133 | func (l *lexer) emit(t itemType) {
134 | 	l.items <- item{t, l.start, l.input[l.start:l.pos]}
135 | 	l.start = l.pos
136 | }
137 | 
138 | // ignore skips over the pending input before this point.
139 | func (l *lexer) ignore() {
140 | 	l.start = l.pos
141 | }
142 | 
143 | // accept consumes the next rune if it's from the valid set.
144 | func (l *lexer) accept(valid string) bool {
145 | 	if strings.IndexRune(valid, l.next()) >= 0 {
146 | 		return true
147 | 	}
148 | 	l.backup()
149 | 	return false
150 | }
151 | 
152 | // acceptRun consumes a run of runes from the valid set.
153 | func (l *lexer) acceptRun(valid string) {
154 | 	for strings.IndexRune(valid, l.next()) >= 0 {
155 | 	}
156 | 	l.backup()
157 | }
158 | 
159 | // lineNumber reports which line we're on, based on the position of
160 | // the previous item returned by nextItem. Doing it this way
161 | // means we don't have to worry about peek double counting.
162 | func (l *lexer) lineNumber() int {
163 | 	return 1 + strings.Count(l.input[:l.lastPos], "\n")
164 | }
165 | 
166 | // errorf returns an error token and terminates the scan by passing
167 | // back a nil pointer that will be the next state, terminating l.nextItem.
168 | func (l *lexer) errorf(format string, args ...interface{}) stateFn {
169 | 	l.items <- item{itemError, l.start, fmt.Sprintf(format, args...)}
170 | 	return nil
171 | }
172 | 
173 | // nextItem returns the next item from the input.
174 | func (l *lexer) nextItem() item {
175 | 	item := <-l.items
176 | 	l.lastPos = item.pos
177 | 	return item
178 | }
179 | 
180 | // lex creates a new scanner for the input string.
181 | func lex(name, input, left, right string) *lexer {
182 | 	if left == "" {
183 | 		left = leftDelim
184 | 	}
185 | 	if right == "" {
186 | 		right = rightDelim
187 | 	}
188 | 	l := &lexer{
189 | 		name:       name,
190 | 		input:      input,
191 | 		leftDelim:  left,
192 | 		rightDelim: right,
193 | 		items:      make(chan item),
194 | 	}
195 | 	go l.run()
196 | 	return l
197 | }
198 | 
199 | // run runs the state machine for the lexer.
200 | func (l *lexer) run() {
201 | 	for l.state = lexText; l.state != nil; {
202 | 		l.state = l.state(l)
203 | 	}
204 | }
205 | 
206 | // state functions
207 | 
208 | const (
209 | 	leftDelim    = "{{"
210 | 	rightDelim   = "}}"
211 | 	leftComment  = "/*"
212 | 	rightComment = "*/"
213 | )
214 | 
215 | // lexText scans until an opening action delimiter, "{{".
216 | func lexText(l *lexer) stateFn {
217 | 	for {
218 | 		if strings.HasPrefix(l.input[l.pos:], l.leftDelim) {
219 | 			if l.pos > l.start {
220 | 				l.emit(itemText)
221 | 			}
222 | 			return lexLeftDelim
223 | 		}
224 | 		if l.next() == eof {
225 | 			break
226 | 		}
227 | 	}
228 | 	// Correctly reached EOF.
229 | 	if l.pos > l.start {
230 | 		l.emit(itemText)
231 | 	}
232 | 	l.emit(itemEOF)
233 | 	return nil
234 | }
235 | 
236 | // lexLeftDelim scans the left delimiter, which is known to be present.
237 | func lexLeftDelim(l *lexer) stateFn {
238 | 	l.pos += Pos(len(l.leftDelim))
239 | 	if strings.HasPrefix(l.input[l.pos:], leftComment) {
240 | 		return lexComment
241 | 	}
242 | 	l.emit(itemLeftDelim)
243 | 	l.parenDepth = 0
244 | 	return lexInsideAction
245 | }
246 | 
247 | // lexComment scans a comment. The left comment marker is known to be present.
248 | func lexComment(l *lexer) stateFn {
249 | 	l.pos += Pos(len(leftComment))
250 | 	i := strings.Index(l.input[l.pos:], rightComment+l.rightDelim)
251 | 	if i < 0 {
252 | 		return l.errorf("unclosed comment")
253 | 	}
254 | 	l.pos += Pos(i + len(rightComment) + len(l.rightDelim))
255 | 	l.ignore()
256 | 	return lexText
257 | }
258 | 
259 | // lexRightDelim scans the right delimiter, which is known to be present.
260 | func lexRightDelim(l *lexer) stateFn {
261 | 	l.pos += Pos(len(l.rightDelim))
262 | 	l.emit(itemRightDelim)
263 | 	return lexText
264 | }
265 | 
266 | // lexInsideAction scans the elements inside action delimiters.
267 | func lexInsideAction(l *lexer) stateFn {
268 | 	// Either number, quoted string, or identifier.
269 | 	// Spaces separate arguments; runs of spaces turn into itemSpace.
270 | 	// Pipe symbols separate and are emitted.
271 | 	if strings.HasPrefix(l.input[l.pos:], l.rightDelim) {
272 | 		if l.parenDepth == 0 {
273 | 			return lexRightDelim
274 | 		}
275 | 		return l.errorf("unclosed left paren")
276 | 	}
277 | 	switch r := l.next(); {
278 | 	case r == eof || isEndOfLine(r):
279 | 		return l.errorf("unclosed action")
280 | 	case isSpace(r):
281 | 		return lexSpace
282 | 	case r == ':':
283 | 		if l.next() != '=' {
284 | 			return l.errorf("expected :=")
285 | 		}
286 | 		l.emit(itemColonEquals)
287 | 	case r == '|':
288 | 		l.emit(itemPipe)
289 | 	case r == '"':
290 | 		return lexQuote
291 | 	case r == '`':
292 | 		return lexRawQuote
293 | 	case r == '$':
294 | 		return lexVariable
295 | 	case r == '\'':
296 | 		return lexChar
297 | 	case r == '.':
298 | 		// special look-ahead for ".field" so we don't break l.backup().
299 | 		if l.pos < Pos(len(l.input)) {
300 | 			r := l.input[l.pos]
301 | 			if r < '0' || '9' < r {
302 | 				return lexField
303 | 			}
304 | 		}
305 | 		fallthrough // '.' can start a number.
306 | 	case r == '+' || r == '-' || ('0' <= r && r <= '9'):
307 | 		l.backup()
308 | 		return lexNumber
309 | 	case isAlphaNumeric(r):
310 | 		l.backup()
311 | 		return lexIdentifier
312 | 	case r == '(':
313 | 		l.emit(itemLeftParen)
314 | 		l.parenDepth++
315 | 		return lexInsideAction
316 | 	case r == ')':
317 | 		l.emit(itemRightParen)
318 | 		l.parenDepth--
319 | 		if l.parenDepth < 0 {
320 | 			return l.errorf("unexpected right paren %#U", r)
321 | 		}
322 | 		return lexInsideAction
323 | 	case r <= unicode.MaxASCII && unicode.IsPrint(r):
324 | 		l.emit(itemChar)
325 | 		return lexInsideAction
326 | 	default:
327 | 		return l.errorf("unrecognized character in action: %#U", r)
328 | 	}
329 | 	return lexInsideAction
330 | }
331 | 
332 | // lexSpace scans a run of space characters.
333 | // One space has already been seen.
334 | func lexSpace(l *lexer) stateFn {
335 | 	for isSpace(l.peek()) {
336 | 		l.next()
337 | 	}
338 | 	l.emit(itemSpace)
339 | 	return lexInsideAction
340 | }
341 | 
342 | // lexIdentifier scans an alphanumeric.
343 | func lexIdentifier(l *lexer) stateFn {
344 | Loop:
345 | 	for {
346 | 		switch r := l.next(); {
347 | 		case isAlphaNumeric(r):
348 | 			// absorb.
349 | 		default:
350 | 			l.backup()
351 | 			word := l.input[l.start:l.pos]
352 | 			if !l.atTerminator() {
353 | 				return l.errorf("bad character %#U", r)
354 | 			}
355 | 			switch {
356 | 			case key[word] > itemKeyword:
357 | 				l.emit(key[word])
358 | 			case word[0] == '.':
359 | 				l.emit(itemField)
360 | 			case word == "true", word == "false":
361 | 				l.emit(itemBool)
362 | 			default:
363 | 				l.emit(itemIdentifier)
364 | 			}
365 | 			break Loop
366 | 		}
367 | 	}
368 | 	return lexInsideAction
369 | }
370 | 
371 | // lexField scans a field: .Alphanumeric.
372 | // The . has been scanned.
373 | func lexField(l *lexer) stateFn {
374 | 	return lexFieldOrVariable(l, itemField)
375 | }
376 | 
377 | // lexVariable scans a Variable: $Alphanumeric.
378 | // The $ has been scanned.
379 | func lexVariable(l *lexer) stateFn {
380 | 	if l.atTerminator() { // Nothing interesting follows -> "$".
381 | 		l.emit(itemVariable)
382 | 		return lexInsideAction
383 | 	}
384 | 	return lexFieldOrVariable(l, itemVariable)
385 | }
386 | 
387 | // lexVariable scans a field or variable: [.$]Alphanumeric.
388 | // The . or $ has been scanned.
389 | func lexFieldOrVariable(l *lexer, typ itemType) stateFn {
390 | 	if l.atTerminator() { // Nothing interesting follows -> "." or "$".
391 | 		if typ == itemVariable {
392 | 			l.emit(itemVariable)
393 | 		} else {
394 | 			l.emit(itemDot)
395 | 		}
396 | 		return lexInsideAction
397 | 	}
398 | 	var r rune
399 | 	for {
400 | 		r = l.next()
401 | 		if !isAlphaNumeric(r) {
402 | 			l.backup()
403 | 			break
404 | 		}
405 | 	}
406 | 	if !l.atTerminator() {
407 | 		return l.errorf("bad character %#U", r)
408 | 	}
409 | 	l.emit(typ)
410 | 	return lexInsideAction
411 | }
412 | 
413 | // atTerminator reports whether the input is at valid termination character to
414 | // appear after an identifier. Breaks .X.Y into two pieces. Also catches cases
415 | // like "$x+2" not being acceptable without a space, in case we decide one
416 | // day to implement arithmetic.
417 | func (l *lexer) atTerminator() bool {
418 | 	r := l.peek()
419 | 	if isSpace(r) || isEndOfLine(r) {
420 | 		return true
421 | 	}
422 | 	switch r {
423 | 	case eof, '.', ',', '|', ':', ')', '(':
424 | 		return true
425 | 	}
426 | 	// Does r start the delimiter? This can be ambiguous (with delim=="//", $x/2 will
427 | 	// succeed but should fail) but only in extremely rare cases caused by willfully
428 | 	// bad choice of delimiter.
429 | 	if rd, _ := utf8.DecodeRuneInString(l.rightDelim); rd == r {
430 | 		return true
431 | 	}
432 | 	return false
433 | }
434 | 
435 | // lexChar scans a character constant. The initial quote is already
436 | // scanned. Syntax checking is done by the parser.
437 | func lexChar(l *lexer) stateFn {
438 | Loop:
439 | 	for {
440 | 		switch l.next() {
441 | 		case '\\':
442 | 			if r := l.next(); r != eof && r != '\n' {
443 | 				break
444 | 			}
445 | 			fallthrough
446 | 		case eof, '\n':
447 | 			return l.errorf("unterminated character constant")
448 | 		case '\'':
449 | 			break Loop
450 | 		}
451 | 	}
452 | 	l.emit(itemCharConstant)
453 | 	return lexInsideAction
454 | }
455 | 
456 | // lexNumber scans a number: decimal, octal, hex, float, or imaginary. This
457 | // isn't a perfect number scanner - for instance it accepts "." and "0x0.2"
458 | // and "089" - but when it's wrong the input is invalid and the parser (via
459 | // strconv) will notice.
460 | func lexNumber(l *lexer) stateFn {
461 | 	if !l.scanNumber() {
462 | 		return l.errorf("bad number syntax: %q", l.input[l.start:l.pos])
463 | 	}
464 | 	if sign := l.peek(); sign == '+' || sign == '-' {
465 | 		// Complex: 1+2i. No spaces, must end in 'i'.
466 | 		if !l.scanNumber() || l.input[l.pos-1] != 'i' {
467 | 			return l.errorf("bad number syntax: %q", l.input[l.start:l.pos])
468 | 		}
469 | 		l.emit(itemComplex)
470 | 	} else {
471 | 		l.emit(itemNumber)
472 | 	}
473 | 	return lexInsideAction
474 | }
475 | 
476 | func (l *lexer) scanNumber() bool {
477 | 	// Optional leading sign.
478 | 	l.accept("+-")
479 | 	// Is it hex?
480 | 	digits := "0123456789"
481 | 	if l.accept("0") && l.accept("xX") {
482 | 		digits = "0123456789abcdefABCDEF"
483 | 	}
484 | 	l.acceptRun(digits)
485 | 	if l.accept(".") {
486 | 		l.acceptRun(digits)
487 | 	}
488 | 	if l.accept("eE") {
489 | 		l.accept("+-")
490 | 		l.acceptRun("0123456789")
491 | 	}
492 | 	// Is it imaginary?
493 | 	l.accept("i")
494 | 	// Next thing mustn't be alphanumeric.
495 | 	if isAlphaNumeric(l.peek()) {
496 | 		l.next()
497 | 		return false
498 | 	}
499 | 	return true
500 | }
501 | 
502 | // lexQuote scans a quoted string.
503 | func lexQuote(l *lexer) stateFn {
504 | Loop:
505 | 	for {
506 | 		switch l.next() {
507 | 		case '\\':
508 | 			if r := l.next(); r != eof && r != '\n' {
509 | 				break
510 | 			}
511 | 			fallthrough
512 | 		case eof, '\n':
513 | 			return l.errorf("unterminated quoted string")
514 | 		case '"':
515 | 			break Loop
516 | 		}
517 | 	}
518 | 	l.emit(itemString)
519 | 	return lexInsideAction
520 | }
521 | 
522 | // lexRawQuote scans a raw quoted string.
523 | func lexRawQuote(l *lexer) stateFn {
524 | Loop:
525 | 	for {
526 | 		switch l.next() {
527 | 		case eof, '\n':
528 | 			return l.errorf("unterminated raw quoted string")
529 | 		case '`':
530 | 			break Loop
531 | 		}
532 | 	}
533 | 	l.emit(itemRawString)
534 | 	return lexInsideAction
535 | }
536 | 
537 | // isSpace reports whether r is a space character.
538 | func isSpace(r rune) bool {
539 | 	return r == ' ' || r == '\t'
540 | }
541 | 
542 | // isEndOfLine reports whether r is an end-of-line character.
543 | func isEndOfLine(r rune) bool {
544 | 	return r == '\r' || r == '\n'
545 | }
546 | 
547 | // isAlphaNumeric reports whether r is an alphabetic, digit, or underscore.
548 | func isAlphaNumeric(r rune) bool {
549 | 	return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
550 | }
551 | 


--------------------------------------------------------------------------------
/v0/parse/lex_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package parse
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"testing"
 10 | )
 11 | 
 12 | // Make the types prettyprint.
 13 | var itemName = map[itemType]string{
 14 | 	itemError:        "error",
 15 | 	itemBool:         "bool",
 16 | 	itemChar:         "char",
 17 | 	itemCharConstant: "charconst",
 18 | 	itemComplex:      "complex",
 19 | 	itemColonEquals:  ":=",
 20 | 	itemEOF:          "EOF",
 21 | 	itemField:        "field",
 22 | 	itemIdentifier:   "identifier",
 23 | 	itemLeftDelim:    "left delim",
 24 | 	itemLeftParen:    "(",
 25 | 	itemNumber:       "number",
 26 | 	itemPipe:         "pipe",
 27 | 	itemRawString:    "raw string",
 28 | 	itemRightDelim:   "right delim",
 29 | 	itemRightParen:   ")",
 30 | 	itemSpace:        "space",
 31 | 	itemString:       "string",
 32 | 	itemVariable:     "variable",
 33 | 
 34 | 	// keywords
 35 | 	itemDot:      ".",
 36 | 	itemDefine:   "define",
 37 | 	itemElse:     "else",
 38 | 	itemIf:       "if",
 39 | 	itemEnd:      "end",
 40 | 	itemNil:      "nil",
 41 | 	itemRange:    "range",
 42 | 	itemTemplate: "template",
 43 | 	itemWith:     "with",
 44 | }
 45 | 
 46 | func (i itemType) String() string {
 47 | 	s := itemName[i]
 48 | 	if s == "" {
 49 | 		return fmt.Sprintf("item%d", int(i))
 50 | 	}
 51 | 	return s
 52 | }
 53 | 
 54 | type lexTest struct {
 55 | 	name  string
 56 | 	input string
 57 | 	items []item
 58 | }
 59 | 
 60 | var (
 61 | 	tEOF      = item{itemEOF, 0, ""}
 62 | 	tFor      = item{itemIdentifier, 0, "for"}
 63 | 	tLeft     = item{itemLeftDelim, 0, "{{"}
 64 | 	tLpar     = item{itemLeftParen, 0, "("}
 65 | 	tPipe     = item{itemPipe, 0, "|"}
 66 | 	tQuote    = item{itemString, 0, `"abc \n\t\" "`}
 67 | 	tRange    = item{itemRange, 0, "range"}
 68 | 	tRight    = item{itemRightDelim, 0, "}}"}
 69 | 	tRpar     = item{itemRightParen, 0, ")"}
 70 | 	tSpace    = item{itemSpace, 0, " "}
 71 | 	raw       = "`" + `abc\n\t\" ` + "`"
 72 | 	tRawQuote = item{itemRawString, 0, raw}
 73 | )
 74 | 
 75 | var lexTests = []lexTest{
 76 | 	{"empty", "", []item{tEOF}},
 77 | 	{"spaces", " \t\n", []item{{itemText, 0, " \t\n"}, tEOF}},
 78 | 	{"text", `now is the time`, []item{{itemText, 0, "now is the time"}, tEOF}},
 79 | 	{"text with comment", "hello-{{/* this is a comment */}}-world", []item{
 80 | 		{itemText, 0, "hello-"},
 81 | 		{itemText, 0, "-world"},
 82 | 		tEOF,
 83 | 	}},
 84 | 	{"punctuation", "{{,@% }}", []item{
 85 | 		tLeft,
 86 | 		{itemChar, 0, ","},
 87 | 		{itemChar, 0, "@"},
 88 | 		{itemChar, 0, "%"},
 89 | 		tSpace,
 90 | 		tRight,
 91 | 		tEOF,
 92 | 	}},
 93 | 	{"parens", "{{((3))}}", []item{
 94 | 		tLeft,
 95 | 		tLpar,
 96 | 		tLpar,
 97 | 		{itemNumber, 0, "3"},
 98 | 		tRpar,
 99 | 		tRpar,
100 | 		tRight,
101 | 		tEOF,
102 | 	}},
103 | 	{"empty action", `{{}}`, []item{tLeft, tRight, tEOF}},
104 | 	{"for", `{{for}}`, []item{tLeft, tFor, tRight, tEOF}},
105 | 	{"quote", `{{"abc \n\t\" "}}`, []item{tLeft, tQuote, tRight, tEOF}},
106 | 	{"raw quote", "{{" + raw + "}}", []item{tLeft, tRawQuote, tRight, tEOF}},
107 | 	{"numbers", "{{1 02 0x14 -7.2i 1e3 +1.2e-4 4.2i 1+2i}}", []item{
108 | 		tLeft,
109 | 		{itemNumber, 0, "1"},
110 | 		tSpace,
111 | 		{itemNumber, 0, "02"},
112 | 		tSpace,
113 | 		{itemNumber, 0, "0x14"},
114 | 		tSpace,
115 | 		{itemNumber, 0, "-7.2i"},
116 | 		tSpace,
117 | 		{itemNumber, 0, "1e3"},
118 | 		tSpace,
119 | 		{itemNumber, 0, "+1.2e-4"},
120 | 		tSpace,
121 | 		{itemNumber, 0, "4.2i"},
122 | 		tSpace,
123 | 		{itemComplex, 0, "1+2i"},
124 | 		tRight,
125 | 		tEOF,
126 | 	}},
127 | 	{"characters", `{{'a' '\n' '\'' '\\' '\u00FF' '\xFF' '本'}}`, []item{
128 | 		tLeft,
129 | 		{itemCharConstant, 0, `'a'`},
130 | 		tSpace,
131 | 		{itemCharConstant, 0, `'\n'`},
132 | 		tSpace,
133 | 		{itemCharConstant, 0, `'\''`},
134 | 		tSpace,
135 | 		{itemCharConstant, 0, `'\\'`},
136 | 		tSpace,
137 | 		{itemCharConstant, 0, `'\u00FF'`},
138 | 		tSpace,
139 | 		{itemCharConstant, 0, `'\xFF'`},
140 | 		tSpace,
141 | 		{itemCharConstant, 0, `'本'`},
142 | 		tRight,
143 | 		tEOF,
144 | 	}},
145 | 	{"bools", "{{true false}}", []item{
146 | 		tLeft,
147 | 		{itemBool, 0, "true"},
148 | 		tSpace,
149 | 		{itemBool, 0, "false"},
150 | 		tRight,
151 | 		tEOF,
152 | 	}},
153 | 	{"dot", "{{.}}", []item{
154 | 		tLeft,
155 | 		{itemDot, 0, "."},
156 | 		tRight,
157 | 		tEOF,
158 | 	}},
159 | 	{"nil", "{{nil}}", []item{
160 | 		tLeft,
161 | 		{itemNil, 0, "nil"},
162 | 		tRight,
163 | 		tEOF,
164 | 	}},
165 | 	{"dots", "{{.x . .2 .x.y.z}}", []item{
166 | 		tLeft,
167 | 		{itemField, 0, ".x"},
168 | 		tSpace,
169 | 		{itemDot, 0, "."},
170 | 		tSpace,
171 | 		{itemNumber, 0, ".2"},
172 | 		tSpace,
173 | 		{itemField, 0, ".x"},
174 | 		{itemField, 0, ".y"},
175 | 		{itemField, 0, ".z"},
176 | 		tRight,
177 | 		tEOF,
178 | 	}},
179 | 	{"keywords", "{{range if else end with}}", []item{
180 | 		tLeft,
181 | 		{itemRange, 0, "range"},
182 | 		tSpace,
183 | 		{itemIf, 0, "if"},
184 | 		tSpace,
185 | 		{itemElse, 0, "else"},
186 | 		tSpace,
187 | 		{itemEnd, 0, "end"},
188 | 		tSpace,
189 | 		{itemWith, 0, "with"},
190 | 		tRight,
191 | 		tEOF,
192 | 	}},
193 | 	{"variables", "{{$c := printf $ $hello $23 $ $var.Field .Method}}", []item{
194 | 		tLeft,
195 | 		{itemVariable, 0, "$c"},
196 | 		tSpace,
197 | 		{itemColonEquals, 0, ":="},
198 | 		tSpace,
199 | 		{itemIdentifier, 0, "printf"},
200 | 		tSpace,
201 | 		{itemVariable, 0, "$"},
202 | 		tSpace,
203 | 		{itemVariable, 0, "$hello"},
204 | 		tSpace,
205 | 		{itemVariable, 0, "$23"},
206 | 		tSpace,
207 | 		{itemVariable, 0, "$"},
208 | 		tSpace,
209 | 		{itemVariable, 0, "$var"},
210 | 		{itemField, 0, ".Field"},
211 | 		tSpace,
212 | 		{itemField, 0, ".Method"},
213 | 		tRight,
214 | 		tEOF,
215 | 	}},
216 | 	{"variable invocation", "{{$x 23}}", []item{
217 | 		tLeft,
218 | 		{itemVariable, 0, "$x"},
219 | 		tSpace,
220 | 		{itemNumber, 0, "23"},
221 | 		tRight,
222 | 		tEOF,
223 | 	}},
224 | 	{"pipeline", `intro {{echo hi 1.2 |noargs|args 1 "hi"}} outro`, []item{
225 | 		{itemText, 0, "intro "},
226 | 		tLeft,
227 | 		{itemIdentifier, 0, "echo"},
228 | 		tSpace,
229 | 		{itemIdentifier, 0, "hi"},
230 | 		tSpace,
231 | 		{itemNumber, 0, "1.2"},
232 | 		tSpace,
233 | 		tPipe,
234 | 		{itemIdentifier, 0, "noargs"},
235 | 		tPipe,
236 | 		{itemIdentifier, 0, "args"},
237 | 		tSpace,
238 | 		{itemNumber, 0, "1"},
239 | 		tSpace,
240 | 		{itemString, 0, `"hi"`},
241 | 		tRight,
242 | 		{itemText, 0, " outro"},
243 | 		tEOF,
244 | 	}},
245 | 	{"declaration", "{{$v := 3}}", []item{
246 | 		tLeft,
247 | 		{itemVariable, 0, "$v"},
248 | 		tSpace,
249 | 		{itemColonEquals, 0, ":="},
250 | 		tSpace,
251 | 		{itemNumber, 0, "3"},
252 | 		tRight,
253 | 		tEOF,
254 | 	}},
255 | 	{"2 declarations", "{{$v , $w := 3}}", []item{
256 | 		tLeft,
257 | 		{itemVariable, 0, "$v"},
258 | 		tSpace,
259 | 		{itemChar, 0, ","},
260 | 		tSpace,
261 | 		{itemVariable, 0, "$w"},
262 | 		tSpace,
263 | 		{itemColonEquals, 0, ":="},
264 | 		tSpace,
265 | 		{itemNumber, 0, "3"},
266 | 		tRight,
267 | 		tEOF,
268 | 	}},
269 | 	{"field of parenthesized expression", "{{(.X).Y}}", []item{
270 | 		tLeft,
271 | 		tLpar,
272 | 		{itemField, 0, ".X"},
273 | 		tRpar,
274 | 		{itemField, 0, ".Y"},
275 | 		tRight,
276 | 		tEOF,
277 | 	}},
278 | 	// errors
279 | 	{"badchar", "#{{\x01}}", []item{
280 | 		{itemText, 0, "#"},
281 | 		tLeft,
282 | 		{itemError, 0, "unrecognized character in action: U+0001"},
283 | 	}},
284 | 	{"unclosed action", "{{\n}}", []item{
285 | 		tLeft,
286 | 		{itemError, 0, "unclosed action"},
287 | 	}},
288 | 	{"EOF in action", "{{range", []item{
289 | 		tLeft,
290 | 		tRange,
291 | 		{itemError, 0, "unclosed action"},
292 | 	}},
293 | 	{"unclosed quote", "{{\"\n\"}}", []item{
294 | 		tLeft,
295 | 		{itemError, 0, "unterminated quoted string"},
296 | 	}},
297 | 	{"unclosed raw quote", "{{`xx\n`}}", []item{
298 | 		tLeft,
299 | 		{itemError, 0, "unterminated raw quoted string"},
300 | 	}},
301 | 	{"unclosed char constant", "{{'\n}}", []item{
302 | 		tLeft,
303 | 		{itemError, 0, "unterminated character constant"},
304 | 	}},
305 | 	{"bad number", "{{3k}}", []item{
306 | 		tLeft,
307 | 		{itemError, 0, `bad number syntax: "3k"`},
308 | 	}},
309 | 	{"unclosed paren", "{{(3}}", []item{
310 | 		tLeft,
311 | 		tLpar,
312 | 		{itemNumber, 0, "3"},
313 | 		{itemError, 0, `unclosed left paren`},
314 | 	}},
315 | 	{"extra right paren", "{{3)}}", []item{
316 | 		tLeft,
317 | 		{itemNumber, 0, "3"},
318 | 		tRpar,
319 | 		{itemError, 0, `unexpected right paren U+0029 ')'`},
320 | 	}},
321 | 
322 | 	// Fixed bugs
323 | 	// Many elements in an action blew the lookahead until
324 | 	// we made lexInsideAction not loop.
325 | 	{"long pipeline deadlock", "{{|||||}}", []item{
326 | 		tLeft,
327 | 		tPipe,
328 | 		tPipe,
329 | 		tPipe,
330 | 		tPipe,
331 | 		tPipe,
332 | 		tRight,
333 | 		tEOF,
334 | 	}},
335 | 	{"text with bad comment", "hello-{{/*/}}-world", []item{
336 | 		{itemText, 0, "hello-"},
337 | 		{itemError, 0, `unclosed comment`},
338 | 	}},
339 | }
340 | 
341 | // collect gathers the emitted items into a slice.
342 | func collect(t *lexTest, left, right string) (items []item) {
343 | 	l := lex(t.name, t.input, left, right)
344 | 	for {
345 | 		item := l.nextItem()
346 | 		items = append(items, item)
347 | 		if item.typ == itemEOF || item.typ == itemError {
348 | 			break
349 | 		}
350 | 	}
351 | 	return
352 | }
353 | 
354 | func equal(i1, i2 []item, checkPos bool) bool {
355 | 	if len(i1) != len(i2) {
356 | 		return false
357 | 	}
358 | 	for k := range i1 {
359 | 		if i1[k].typ != i2[k].typ {
360 | 			return false
361 | 		}
362 | 		if i1[k].val != i2[k].val {
363 | 			return false
364 | 		}
365 | 		if checkPos && i1[k].pos != i2[k].pos {
366 | 			return false
367 | 		}
368 | 	}
369 | 	return true
370 | }
371 | 
372 | func TestLex(t *testing.T) {
373 | 	for _, test := range lexTests {
374 | 		items := collect(&test, "", "")
375 | 		if !equal(items, test.items, false) {
376 | 			t.Errorf("%s: got\n\t%+v\nexpected\n\t%v", test.name, items, test.items)
377 | 		}
378 | 	}
379 | }
380 | 
381 | // Some easy cases from above, but with delimiters $$ and @@
382 | var lexDelimTests = []lexTest{
383 | 	{"punctuation", "$$,@%{{}}@@", []item{
384 | 		tLeftDelim,
385 | 		{itemChar, 0, ","},
386 | 		{itemChar, 0, "@"},
387 | 		{itemChar, 0, "%"},
388 | 		{itemChar, 0, "{"},
389 | 		{itemChar, 0, "{"},
390 | 		{itemChar, 0, "}"},
391 | 		{itemChar, 0, "}"},
392 | 		tRightDelim,
393 | 		tEOF,
394 | 	}},
395 | 	{"empty action", `$$@@`, []item{tLeftDelim, tRightDelim, tEOF}},
396 | 	{"for", `$$for@@`, []item{tLeftDelim, tFor, tRightDelim, tEOF}},
397 | 	{"quote", `$$"abc \n\t\" "@@`, []item{tLeftDelim, tQuote, tRightDelim, tEOF}},
398 | 	{"raw quote", "$$" + raw + "@@", []item{tLeftDelim, tRawQuote, tRightDelim, tEOF}},
399 | }
400 | 
401 | var (
402 | 	tLeftDelim  = item{itemLeftDelim, 0, "$$"}
403 | 	tRightDelim = item{itemRightDelim, 0, "@@"}
404 | )
405 | 
406 | func TestDelims(t *testing.T) {
407 | 	for _, test := range lexDelimTests {
408 | 		items := collect(&test, "$$", "@@")
409 | 		if !equal(items, test.items, false) {
410 | 			t.Errorf("%s: got\n\t%v\nexpected\n\t%v", test.name, items, test.items)
411 | 		}
412 | 	}
413 | }
414 | 
415 | var lexPosTests = []lexTest{
416 | 	{"empty", "", []item{tEOF}},
417 | 	{"punctuation", "{{,@%#}}", []item{
418 | 		{itemLeftDelim, 0, "{{"},
419 | 		{itemChar, 2, ","},
420 | 		{itemChar, 3, "@"},
421 | 		{itemChar, 4, "%"},
422 | 		{itemChar, 5, "#"},
423 | 		{itemRightDelim, 6, "}}"},
424 | 		{itemEOF, 8, ""},
425 | 	}},
426 | 	{"sample", "0123{{hello}}xyz", []item{
427 | 		{itemText, 0, "0123"},
428 | 		{itemLeftDelim, 4, "{{"},
429 | 		{itemIdentifier, 6, "hello"},
430 | 		{itemRightDelim, 11, "}}"},
431 | 		{itemText, 13, "xyz"},
432 | 		{itemEOF, 16, ""},
433 | 	}},
434 | }
435 | 
436 | // The other tests don't check position, to make the test cases easier to construct.
437 | // This one does.
438 | func TestPos(t *testing.T) {
439 | 	for _, test := range lexPosTests {
440 | 		items := collect(&test, "", "")
441 | 		if !equal(items, test.items, true) {
442 | 			t.Errorf("%s: got\n\t%v\nexpected\n\t%v", test.name, items, test.items)
443 | 			if len(items) == len(test.items) {
444 | 				// Detailed print; avoid item.String() to expose the position value.
445 | 				for i := range items {
446 | 					if !equal(items[i:i+1], test.items[i:i+1], true) {
447 | 						i1 := items[i]
448 | 						i2 := test.items[i]
449 | 						t.Errorf("\t#%d: got {%v %d %q} expected  {%v %d %q}", i, i1.typ, i1.pos, i1.val, i2.typ, i2.pos, i2.val)
450 | 					}
451 | 				}
452 | 			}
453 | 		}
454 | 	}
455 | }
456 | 


--------------------------------------------------------------------------------
/v0/parse/parse_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package parse
  6 | 
  7 | import (
  8 | 	"flag"
  9 | 	"fmt"
 10 | 	"strings"
 11 | 	"testing"
 12 | )
 13 | 
 14 | var debug = flag.Bool("debug", false, "show the errors produced by the main tests")
 15 | 
 16 | type numberTest struct {
 17 | 	text      string
 18 | 	isInt     bool
 19 | 	isUint    bool
 20 | 	isFloat   bool
 21 | 	isComplex bool
 22 | 	int64
 23 | 	uint64
 24 | 	float64
 25 | 	complex128
 26 | }
 27 | 
 28 | var numberTests = []numberTest{
 29 | 	// basics
 30 | 	{"0", true, true, true, false, 0, 0, 0, 0},
 31 | 	{"-0", true, true, true, false, 0, 0, 0, 0}, // check that -0 is a uint.
 32 | 	{"73", true, true, true, false, 73, 73, 73, 0},
 33 | 	{"073", true, true, true, false, 073, 073, 073, 0},
 34 | 	{"0x73", true, true, true, false, 0x73, 0x73, 0x73, 0},
 35 | 	{"-73", true, false, true, false, -73, 0, -73, 0},
 36 | 	{"+73", true, false, true, false, 73, 0, 73, 0},
 37 | 	{"100", true, true, true, false, 100, 100, 100, 0},
 38 | 	{"1e9", true, true, true, false, 1e9, 1e9, 1e9, 0},
 39 | 	{"-1e9", true, false, true, false, -1e9, 0, -1e9, 0},
 40 | 	{"-1.2", false, false, true, false, 0, 0, -1.2, 0},
 41 | 	{"1e19", false, true, true, false, 0, 1e19, 1e19, 0},
 42 | 	{"-1e19", false, false, true, false, 0, 0, -1e19, 0},
 43 | 	{"4i", false, false, false, true, 0, 0, 0, 4i},
 44 | 	{"-1.2+4.2i", false, false, false, true, 0, 0, 0, -1.2 + 4.2i},
 45 | 	{"073i", false, false, false, true, 0, 0, 0, 73i}, // not octal!
 46 | 	// complex with 0 imaginary are float (and maybe integer)
 47 | 	{"0i", true, true, true, true, 0, 0, 0, 0},
 48 | 	{"-1.2+0i", false, false, true, true, 0, 0, -1.2, -1.2},
 49 | 	{"-12+0i", true, false, true, true, -12, 0, -12, -12},
 50 | 	{"13+0i", true, true, true, true, 13, 13, 13, 13},
 51 | 	// funny bases
 52 | 	{"0123", true, true, true, false, 0123, 0123, 0123, 0},
 53 | 	{"-0x0", true, true, true, false, 0, 0, 0, 0},
 54 | 	{"0xdeadbeef", true, true, true, false, 0xdeadbeef, 0xdeadbeef, 0xdeadbeef, 0},
 55 | 	// character constants
 56 | 	{`'a'`, true, true, true, false, 'a', 'a', 'a', 0},
 57 | 	{`'\n'`, true, true, true, false, '\n', '\n', '\n', 0},
 58 | 	{`'\\'`, true, true, true, false, '\\', '\\', '\\', 0},
 59 | 	{`'\''`, true, true, true, false, '\'', '\'', '\'', 0},
 60 | 	{`'\xFF'`, true, true, true, false, 0xFF, 0xFF, 0xFF, 0},
 61 | 	{`'パ'`, true, true, true, false, 0x30d1, 0x30d1, 0x30d1, 0},
 62 | 	{`'\u30d1'`, true, true, true, false, 0x30d1, 0x30d1, 0x30d1, 0},
 63 | 	{`'\U000030d1'`, true, true, true, false, 0x30d1, 0x30d1, 0x30d1, 0},
 64 | 	// some broken syntax
 65 | 	{text: "+-2"},
 66 | 	{text: "0x123."},
 67 | 	{text: "1e."},
 68 | 	{text: "0xi."},
 69 | 	{text: "1+2."},
 70 | 	{text: "'x"},
 71 | 	{text: "'xx'"},
 72 | }
 73 | 
 74 | func TestNumberParse(t *testing.T) {
 75 | 	for _, test := range numberTests {
 76 | 		// If fmt.Sscan thinks it's complex, it's complex.  We can't trust the output
 77 | 		// because imaginary comes out as a number.
 78 | 		var c complex128
 79 | 		typ := itemNumber
 80 | 		if test.text[0] == '\'' {
 81 | 			typ = itemCharConstant
 82 | 		} else {
 83 | 			_, err := fmt.Sscan(test.text, &c)
 84 | 			if err == nil {
 85 | 				typ = itemComplex
 86 | 			}
 87 | 		}
 88 | 		n, err := newNumber(0, test.text, typ)
 89 | 		ok := test.isInt || test.isUint || test.isFloat || test.isComplex
 90 | 		if ok && err != nil {
 91 | 			t.Errorf("unexpected error for %q: %s", test.text, err)
 92 | 			continue
 93 | 		}
 94 | 		if !ok && err == nil {
 95 | 			t.Errorf("expected error for %q", test.text)
 96 | 			continue
 97 | 		}
 98 | 		if !ok {
 99 | 			if *debug {
100 | 				fmt.Printf("%s\n\t%s\n", test.text, err)
101 | 			}
102 | 			continue
103 | 		}
104 | 		if n.IsComplex != test.isComplex {
105 | 			t.Errorf("complex incorrect for %q; should be %t", test.text, test.isComplex)
106 | 		}
107 | 		if test.isInt {
108 | 			if !n.IsInt {
109 | 				t.Errorf("expected integer for %q", test.text)
110 | 			}
111 | 			if n.Int64 != test.int64 {
112 | 				t.Errorf("int64 for %q should be %d Is %d", test.text, test.int64, n.Int64)
113 | 			}
114 | 		} else if n.IsInt {
115 | 			t.Errorf("did not expect integer for %q", test.text)
116 | 		}
117 | 		if test.isUint {
118 | 			if !n.IsUint {
119 | 				t.Errorf("expected unsigned integer for %q", test.text)
120 | 			}
121 | 			if n.Uint64 != test.uint64 {
122 | 				t.Errorf("uint64 for %q should be %d Is %d", test.text, test.uint64, n.Uint64)
123 | 			}
124 | 		} else if n.IsUint {
125 | 			t.Errorf("did not expect unsigned integer for %q", test.text)
126 | 		}
127 | 		if test.isFloat {
128 | 			if !n.IsFloat {
129 | 				t.Errorf("expected float for %q", test.text)
130 | 			}
131 | 			if n.Float64 != test.float64 {
132 | 				t.Errorf("float64 for %q should be %g Is %g", test.text, test.float64, n.Float64)
133 | 			}
134 | 		} else if n.IsFloat {
135 | 			t.Errorf("did not expect float for %q", test.text)
136 | 		}
137 | 		if test.isComplex {
138 | 			if !n.IsComplex {
139 | 				t.Errorf("expected complex for %q", test.text)
140 | 			}
141 | 			if n.Complex128 != test.complex128 {
142 | 				t.Errorf("complex128 for %q should be %g Is %g", test.text, test.complex128, n.Complex128)
143 | 			}
144 | 		} else if n.IsComplex {
145 | 			t.Errorf("did not expect complex for %q", test.text)
146 | 		}
147 | 	}
148 | }
149 | 
150 | type parseTest struct {
151 | 	name   string
152 | 	input  string
153 | 	ok     bool
154 | 	result string // what the user would see in an error message.
155 | }
156 | 
157 | const (
158 | 	noError  = true
159 | 	hasError = false
160 | )
161 | 
162 | var parseTests = []parseTest{
163 | 	{"empty", "", noError,
164 | 		``},
165 | 	{"comment", "{{/*\n\n\n*/}}", noError,
166 | 		``},
167 | 	{"spaces", " \t\n", noError,
168 | 		" \t\n"},
169 | 	{"text", "some text", noError,
170 | 		`some text`},
171 | 	{"emptyAction", "{{}}", hasError,
172 | 		`{{}}`},
173 | 	{"field", "{{.X}}", noError,
174 | 		`{{.X}}`},
175 | 	{"simple command", "{{printf}}", noError,
176 | 		`{{printf}}`},
177 | 	{"$ invocation", "{{$}}", noError,
178 | 		"{{$}}"},
179 | 	{"variable invocation", "{{with $x := 3}}{{$x 23}}{{end}}", noError,
180 | 		"{{with $x := 3}}{{$x 23}}{{end}}"},
181 | 	{"variable with fields", "{{$.I}}", noError,
182 | 		"{{$.I}}"},
183 | 	{"multi-word command", "{{printf `%d` 23}}", noError,
184 | 		"{{printf `%d` 23}}"},
185 | 	{"pipeline", "{{.X|.Y}}", noError,
186 | 		`{{.X | .Y}}`},
187 | 	{"pipeline with decl", "{{$x := .X|.Y}}", noError,
188 | 		`{{$x := .X | .Y}}`},
189 | 	{"nested pipeline", "{{.X (.Y .Z) (.A | .B .C) (.E)}}", noError,
190 | 		`{{.X (.Y .Z) (.A | .B .C) (.E)}}`},
191 | 	{"field applied to parentheses", "{{(.Y .Z).Field}}", noError,
192 | 		`{{(.Y .Z).Field}}`},
193 | 	{"simple if", "{{if .X}}hello{{end}}", noError,
194 | 		`{{if .X}}hello{{end}}`},
195 | 	{"if with else", "{{if .X}}true{{else}}false{{end}}", noError,
196 | 		`{{if .X}}true{{else}}false{{end}}`},
197 | 	{"simple range", "{{range .X}}hello{{end}}", noError,
198 | 		`{{range .X}}hello{{end}}`},
199 | 	{"chained field range", "{{range .X.Y.Z}}hello{{end}}", noError,
200 | 		`{{range .X.Y.Z}}hello{{end}}`},
201 | 	{"nested range", "{{range .X}}hello{{range .Y}}goodbye{{end}}{{end}}", noError,
202 | 		`{{range .X}}hello{{range .Y}}goodbye{{end}}{{end}}`},
203 | 	{"range with else", "{{range .X}}true{{else}}false{{end}}", noError,
204 | 		`{{range .X}}true{{else}}false{{end}}`},
205 | 	{"range over pipeline", "{{range .X|.M}}true{{else}}false{{end}}", noError,
206 | 		`{{range .X | .M}}true{{else}}false{{end}}`},
207 | 	{"range []int", "{{range .SI}}{{.}}{{end}}", noError,
208 | 		`{{range .SI}}{{.}}{{end}}`},
209 | 	{"range 1 var", "{{range $x := .SI}}{{.}}{{end}}", noError,
210 | 		`{{range $x := .SI}}{{.}}{{end}}`},
211 | 	{"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError,
212 | 		`{{range $x, $y := .SI}}{{.}}{{end}}`},
213 | 	{"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError,
214 | 		`{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`},
215 | 	{"template", "{{template `x`}}", noError,
216 | 		`{{template "x"}}`},
217 | 	{"template with arg", "{{template `x` .Y}}", noError,
218 | 		`{{template "x" .Y}}`},
219 | 	{"with", "{{with .X}}hello{{end}}", noError,
220 | 		`{{with .X}}hello{{end}}`},
221 | 	{"with with else", "{{with .X}}hello{{else}}goodbye{{end}}", noError,
222 | 		`{{with .X}}hello{{else}}goodbye{{end}}`},
223 | 	// Errors.
224 | 	{"unclosed action", "hello{{range", hasError, ""},
225 | 	{"unmatched end", "{{end}}", hasError, ""},
226 | 	{"missing end", "hello{{range .x}}", hasError, ""},
227 | 	{"missing end after else", "hello{{range .x}}{{else}}", hasError, ""},
228 | 	{"undefined function", "hello{{undefined}}", hasError, ""},
229 | 	{"undefined variable", "{{$x}}", hasError, ""},
230 | 	{"variable undefined after end", "{{with $x := 4}}{{end}}{{$x}}", hasError, ""},
231 | 	{"variable undefined in template", "{{template $v}}", hasError, ""},
232 | 	{"declare with field", "{{with $x.Y := 4}}{{end}}", hasError, ""},
233 | 	{"template with field ref", "{{template .X}}", hasError, ""},
234 | 	{"template with var", "{{template $v}}", hasError, ""},
235 | 	{"invalid punctuation", "{{printf 3, 4}}", hasError, ""},
236 | 	{"multidecl outside range", "{{with $v, $u := 3}}{{end}}", hasError, ""},
237 | 	{"too many decls in range", "{{range $u, $v, $w := 3}}{{end}}", hasError, ""},
238 | 	{"dot applied to parentheses", "{{printf (printf .).}}", hasError, ""},
239 | 	{"adjacent args", "{{printf 3`x`}}", hasError, ""},
240 | 	{"adjacent args with .", "{{printf `x`.}}", hasError, ""},
241 | 	// Equals (and other chars) do not assignments make (yet).
242 | 	{"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"},
243 | 	{"bug0b", "{{$x = 1}}{{$x}}", hasError, ""},
244 | 	{"bug0c", "{{$x ! 2}}{{$x}}", hasError, ""},
245 | 	{"bug0d", "{{$x % 3}}{{$x}}", hasError, ""},
246 | 	// Check the parse fails for := rather than comma.
247 | 	{"bug0e", "{{range $x := $y := 3}}{{end}}", hasError, ""},
248 | 	// Another bug: variable read must ignore following punctuation.
249 | 	{"bug1a", "{{$x:=.}}{{$x!2}}", hasError, ""},                     // ! is just illegal here.
250 | 	{"bug1b", "{{$x:=.}}{{$x+2}}", hasError, ""},                     // $x+2 should not parse as ($x) (+2).
251 | 	{"bug1c", "{{$x:=.}}{{$x +2}}", noError, "{{$x := .}}{{$x +2}}"}, // It's OK with a space.
252 | }
253 | 
254 | var builtins = map[string]interface{}{
255 | 	"printf": fmt.Sprintf,
256 | }
257 | 
258 | func testParse(doCopy bool, t *testing.T) {
259 | 	for _, test := range parseTests {
260 | 		tmpl, err := Parse(test.name, fmt.Sprintf(`{{define "%s"}}%s{{end}}`, test.name, test.input), "", "", builtins)
261 | 		switch {
262 | 		case err == nil && !test.ok:
263 | 			t.Errorf("%q: expected error; got none", test.name)
264 | 			continue
265 | 		case err != nil && test.ok:
266 | 			t.Errorf("%q: unexpected error: %v", test.name, err)
267 | 			continue
268 | 		case err != nil && !test.ok:
269 | 			// expected error, got one
270 | 			if *debug {
271 | 				fmt.Printf("%s: %s\n\t%s\n", test.name, test.input, err)
272 | 			}
273 | 			continue
274 | 		}
275 | 		var result string
276 | 		if doCopy {
277 | 			result = tmpl[test.name].Copy().String()
278 | 		} else {
279 | 			result = tmpl[test.name].String()
280 | 		}
281 | 		expected := fmt.Sprintf(`{{define "%s"}}%s{{end}}`, test.name, test.result)
282 | 		if result != expected {
283 | 			t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, expected)
284 | 		}
285 | 	}
286 | }
287 | 
288 | func TestParse(t *testing.T) {
289 | 	testParse(false, t)
290 | }
291 | 
292 | // Same as TestParse, but we copy the node first
293 | func TestParseCopy(t *testing.T) {
294 | 	testParse(true, t)
295 | }
296 | 
297 | type isEmptyTest struct {
298 | 	name  string
299 | 	input string
300 | 	empty bool
301 | }
302 | 
303 | // All failures, and the result is a string that must appear in the error message.
304 | //
305 | // TODO: adapt tests with {{define}}.
306 | var errorTests = []parseTest{
307 | 	// Check line numbers are accurate.
308 | 	//{"unclosed1",
309 | 	//	"line1\n{{",
310 | 	//	hasError, `unclosed1:2: unexpected unclosed action in command`},
311 | 	//{"unclosed2",
312 | 	//	"line1\n{{define `x`}}line2\n{{",
313 | 	//	hasError, `unclosed2:3: unexpected unclosed action in command`},
314 | 	// Specific errors.
315 | 	{"function",
316 | 		"{{foo}}",
317 | 		hasError, `function "foo" not defined`},
318 | 	{"comment",
319 | 		"{{/*}}",
320 | 		hasError, `unclosed comment`},
321 | 	{"lparen",
322 | 		"{{.X (1 2 3}}",
323 | 		hasError, `unclosed left paren`},
324 | 	{"rparen",
325 | 		"{{.X 1 2 3)}}",
326 | 		hasError, `unexpected ")"`},
327 | 	{"space",
328 | 		"{{`x`3}}",
329 | 		hasError, `missing space?`},
330 | 	{"idchar",
331 | 		"{{a#}}",
332 | 		hasError, `'#'`},
333 | 	{"charconst",
334 | 		"{{'a}}",
335 | 		hasError, `unterminated character constant`},
336 | 	{"stringconst",
337 | 		`{{"a}}`,
338 | 		hasError, `unterminated quoted string`},
339 | 	{"rawstringconst",
340 | 		"{{`a}}",
341 | 		hasError, `unterminated raw quoted string`},
342 | 	{"number",
343 | 		"{{0xi}}",
344 | 		hasError, `number syntax`},
345 | 	//{"multidefine",
346 | 	//	"{{define `a`}}a{{end}}{{define `a`}}b{{end}}",
347 | 	//	hasError, `multiple definition of template`},
348 | 	{"eof",
349 | 		"{{range .X}}",
350 | 		hasError, `unexpected EOF`},
351 | 	{"variable",
352 | 		// Declare $x so it's defined, to avoid that error, and then check we don't parse a declaration.
353 | 		"{{$x := 23}}{{with $x.y := 3}}{{$x 23}}{{end}}",
354 | 		hasError, `unexpected ":="`},
355 | 	{"multidecl",
356 | 		"{{$a,$b,$c := 23}}",
357 | 		hasError, `too many declarations`},
358 | 	{"undefvar",
359 | 		"{{$a}}",
360 | 		hasError, `undefined variable`},
361 | }
362 | 
363 | func TestErrors(t *testing.T) {
364 | 	for _, test := range errorTests {
365 | 		_, err := Parse(test.name, fmt.Sprintf(`{{define "%s"}}%s{{end}}`, test.name, test.input), "", "")
366 | 		if err == nil {
367 | 			t.Errorf("%q: expected error", test.name)
368 | 			continue
369 | 		}
370 | 		if !strings.Contains(err.Error(), test.result) {
371 | 			t.Errorf("%q: error %q does not contain %q", test.name, err, test.result)
372 | 		}
373 | 	}
374 | }
375 | 


--------------------------------------------------------------------------------
/v0/template.go:
--------------------------------------------------------------------------------
  1 | // Copyright 2011 The Go Authors. All rights reserved.
  2 | // Use of this source code is governed by a BSD-style
  3 | // license that can be found in the LICENSE file.
  4 | 
  5 | package template
  6 | 
  7 | import (
  8 | 	"fmt"
  9 | 	"io/ioutil"
 10 | 	"path/filepath"
 11 | 	"reflect"
 12 | 	"sync"
 13 | 
 14 | 	"github.com/gorilla/template/v0/escape"
 15 | 	"github.com/gorilla/template/v0/parse"
 16 | )
 17 | 
 18 | // Set stores a collection of parsed templates.
 19 | //
 20 | // To add templates call Set.Parse (or other parse methods):
 21 | //
 22 | //     set, err := new(Set).Parse(`{{define "hello"}}Hello, World.{{end}}`)
 23 | //     if err != nil {
 24 | //         // do something with the parsing error...
 25 | //     }
 26 | //
 27 | // To execute a template call Set.Execute passing an io.Writer, the name of
 28 | // the template to execute and related data:
 29 | //
 30 | //     err = set.Execute(os.Stderr, "hello", nil)
 31 | //     if err != nil {
 32 | //         // do something with the execution error...
 33 | //     }
 34 | type Set struct {
 35 | 	mutex      sync.Mutex
 36 | 	tree       parse.Tree
 37 | 	leftDelim  string
 38 | 	rightDelim string
 39 | 	escape     bool // compilation flag to perform contextual escaping
 40 | 	compiled   bool // compilation flag to lock the set after first execution
 41 | 	// We use two maps, one for parsing and one for execution.
 42 | 	parseFuncs FuncMap
 43 | 	execFuncs  map[string]reflect.Value
 44 | }
 45 | 
 46 | // init initializes the set fields to default values.
 47 | func (s *Set) init() {
 48 | 	if s.tree == nil {
 49 | 		s.tree = make(parse.Tree)
 50 | 	}
 51 | 	if s.execFuncs == nil {
 52 | 		s.execFuncs = make(map[string]reflect.Value)
 53 | 	}
 54 | 	if s.parseFuncs == nil {
 55 | 		s.parseFuncs = make(FuncMap)
 56 | 	}
 57 | }
 58 | 
 59 | // Delims sets the action delimiters to the specified strings, to be used in
 60 | // subsequent calls to Parse. An empty delimiter stands for the corresponding
 61 | // default: "{{" or "}}".
 62 | // The return value is the set, so calls can be chained.
 63 | func (s *Set) Delims(left, right string) *Set {
 64 | 	s.leftDelim = left
 65 | 	s.rightDelim = right
 66 | 	return s
 67 | }
 68 | 
 69 | // Funcs adds the elements of the argument map to the template's function map.
 70 | // It panics if a value in the map is not a function with appropriate return
 71 | // type. However, it is legal to overwrite elements of the map. The return
 72 | // value is the set, so calls can be chained.
 73 | func (s *Set) Funcs(funcMap FuncMap) *Set {
 74 | 	s.init()
 75 | 	addValueFuncs(s.execFuncs, funcMap)
 76 | 	addFuncs(s.parseFuncs, funcMap)
 77 | 	return s
 78 | }
 79 | 
 80 | // Escape turns on contextual escaping in all templates in the set, rewriting
 81 | // them to guarantee that the output is safe. The return value is the set,
 82 | // so calls can be chained.
 83 | func (s *Set) Escape() *Set {
 84 | 	s.escape = true
 85 | 	return s
 86 | }
 87 | 
 88 | // Clone returns a duplicate of the template, including all associated
 89 | // templates. The actual representation is not copied, but the name space of
 90 | // associated templates is, so further calls to Parse in the copy will add
 91 | // templates to the copy but not to the original. Clone can be used to prepare
 92 | // common templates and use them with variant definitions for other templates
 93 | // by adding the variants after the clone is made.
 94 | func (s *Set) Clone() (*Set, error) {
 95 | 	s.mutex.Lock()
 96 | 	defer s.mutex.Unlock()
 97 | 	ns := new(Set).Delims(s.leftDelim, s.rightDelim)
 98 | 	ns.init()
 99 | 	for k, v := range s.parseFuncs {
100 | 		ns.parseFuncs[k] = v
101 | 	}
102 | 	for k, v := range s.execFuncs {
103 | 		ns.execFuncs[k] = v
104 | 	}
105 | 	err := ns.tree.AddTree(s.tree.Copy())
106 | 	if err != nil {
107 | 		return nil, err
108 | 	}
109 | 	ns.escape = s.escape
110 | 	ns.compiled = s.compiled
111 | 	return ns, nil
112 | }
113 | 
114 | // Compile performs inlining and contextual escaping in all templates in the
115 | // set. This doesn't need to be called manually because the set is compiled
116 | // automatically when executed, but it can be used to force compilation and
117 | // catch errors earlier.
118 | func (s *Set) Compile() (*Set, error) {
119 | 	s.mutex.Lock()
120 | 	defer s.mutex.Unlock()
121 | 	if !s.compiled {
122 | 		// Inlining.
123 | 		if err := inlineTree(s.tree); err != nil {
124 | 			return nil, err
125 | 		}
126 | 		// Contextual escaping.
127 | 		if s.escape {
128 | 			if err := escape.EscapeTree(s.tree); err != nil {
129 | 				return nil, err
130 | 			}
131 | 			s.Funcs(escape.FuncMap)
132 | 		}
133 | 		s.compiled = true
134 | 	}
135 | 	return s, nil
136 | }
137 | 
138 | // Parse ----------------------------------------------------------------------
139 | 
140 | // parse parses the given text and adds the resulting templates to the set.
141 | // The name is only used for debugging purposes: when parsing files or glob,
142 | // it can show which file caused an error.
143 | //
144 | // Parsing templates after the set executed results in an error.
145 | func (s *Set) parse(text, name string) (*Set, error) {
146 | 	s.mutex.Lock()
147 | 	defer s.mutex.Unlock()
148 | 	if s.compiled {
149 | 		return nil, fmt.Errorf(
150 | 			"template: new templates can't be added after execution")
151 | 	}
152 | 	s.init()
153 | 	if tree, err := parse.Parse(name, text, s.leftDelim, s.rightDelim,
154 | 		builtins, s.parseFuncs); err != nil {
155 | 		return nil, err
156 | 	} else if err = s.tree.AddTree(tree); err != nil {
157 | 		return nil, err
158 | 	}
159 | 	return s, nil
160 | }
161 | 
162 | // Parse parses the given text and adds the resulting templates to the set.
163 | // If an error occurs, parsing stops and the returned set is nil; otherwise
164 | // it is s.
165 | func (s *Set) Parse(text string) (*Set, error) {
166 | 	return s.parse(text, "template string")
167 | }
168 | 
169 | // ParseFiles parses the named files and adds the resulting templates to the
170 | // set. There must be at least one file. If an error occurs, parsing stops and
171 | // the returned set is nil; otherwise it is s.
172 | func (s *Set) ParseFiles(filenames ...string) (*Set, error) {
173 | 	if len(filenames) == 0 {
174 | 		// Not really a problem, but be consistent.
175 | 		return nil, fmt.Errorf(
176 | 			"template: ParseFiles must be called with at least one filename")
177 | 	}
178 | 	for _, filename := range filenames {
179 | 		if b, err := ioutil.ReadFile(filename); err != nil {
180 | 			return nil, err
181 | 		} else if _, err = s.parse(string(b), filename); err != nil {
182 | 			return nil, err
183 | 		}
184 | 	}
185 | 	return s, nil
186 | }
187 | 
188 | // ParseGlob parses the template definitions in the files identified by the
189 | // pattern and adds the resulting templates to the set. The pattern is
190 | // processed by filepath.Glob and must match at least one file. ParseGlob is
191 | // equivalent to calling s.ParseFiles with the list of files matched by the
192 | // pattern. If an error occurs, parsing stops and the returned set is nil;
193 | // otherwise it is s.
194 | func (s *Set) ParseGlob(pattern string) (*Set, error) {
195 | 	filenames, err := filepath.Glob(pattern)
196 | 	if err != nil {
197 | 		return nil, err
198 | 	}
199 | 	if len(filenames) == 0 {
200 | 		return nil, fmt.Errorf(
201 | 			"template: pattern doesn't match any files: %#q", pattern)
202 | 	}
203 | 	return s.ParseFiles(filenames...)
204 | }
205 | 
206 | // Convenience parsing wrappers -----------------------------------------------
207 | 
208 | // Must is a helper that wraps a call to a function that returns (*Set, error)
209 | // and panics if the error is non-nil. It is intended for use in variable
210 | // initializations such as:
211 | //
212 | //     var set = Must(new(Set).Parse(`{{define "hello"}}Hello, World.{{end}}`))
213 | func Must(s *Set, err error) *Set {
214 | 	if err != nil {
215 | 		panic(err)
216 | 	}
217 | 	return s
218 | }
219 | 
220 | // This redundant API is probably not needed...
221 | 
222 | // Parse creates a new Set with the template definitions from the given text.
223 | // If an error occurs, parsing stops and the returned set is nil.
224 | //func Parse(text string) (*Set, error) {
225 | //	return new(Set).Parse(text)
226 | //}
227 | 
228 | // ParseFiles creates a new Set with the template definitions from the named
229 | // files. There must be at least one file. If an error occurs, parsing stops
230 | // and the returned set is nil.
231 | //func ParseFiles(filenames ...string) (*Set, error) {
232 | //	return new(Set).ParseFiles(filenames...)
233 | //}
234 | 
235 | // ParseGlob creates a new Set with the template definitions from the
236 | // files identified by the pattern. The pattern is processed by filepath.Glob
237 | // and must match at least one file. ParseGlob is equivalent to calling
238 | // ParseFiles with the list of files matched by the pattern. If an error
239 | // occurs, parsing stops and the returned set is nil.
240 | //func ParseGlob(pattern string) (*Set, error) {
241 | //	return new(Set).ParseGlob(pattern)
242 | //}
243 | 


--------------------------------------------------------------------------------
/v0/testdata/file1.tmpl:
--------------------------------------------------------------------------------
1 | {{define "x"}}TEXT{{end}}
2 | {{define "dotV"}}{{.V}}{{end}}
3 | 


--------------------------------------------------------------------------------
/v0/testdata/file2.tmpl:
--------------------------------------------------------------------------------
1 | {{define "dot"}}{{.}}{{end}}
2 | {{define "nested"}}{{template "dot" .}}{{end}}
3 | 


--------------------------------------------------------------------------------
/v0/testdata/tmpl1.tmpl:
--------------------------------------------------------------------------------
1 | {{define "template1"}}
2 | template1
3 | {{template "y"}}
4 | {{end}}
5 | {{define "x"}}x{{end}}
6 | 


--------------------------------------------------------------------------------
/v0/testdata/tmpl2.tmpl:
--------------------------------------------------------------------------------
1 | {{define "template2"}}
2 | template2
3 | {{template "x"}}
4 | {{end}}
5 | {{define "y"}}y{{end}}
6 | 


--------------------------------------------------------------------------------