...

Source file src/html/template/content_test.go

Documentation: html/template

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package template
     6  
     7  import (
     8  	"bytes"
     9  	"fmt"
    10  	"strings"
    11  	"testing"
    12  )
    13  
    14  func TestTypedContent(t *testing.T) {
    15  	data := []any{
    16  		`<b> "foo%" O'Reilly &bar;`,
    17  		CSS(`a[href =~ "//example.com"]#foo`),
    18  		HTML(`Hello, <b>World</b> &amp;tc!`),
    19  		HTMLAttr(` dir="ltr"`),
    20  		JS(`c && alert("Hello, World!");`),
    21  		JSStr(`Hello, World & O'Reilly\u0021`),
    22  		URL(`greeting=H%69,&addressee=(World)`),
    23  		Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
    24  		URL(`,foo/,`),
    25  	}
    26  
    27  	// For each content sensitive escaper, see how it does on
    28  	// each of the typed strings above.
    29  	tests := []struct {
    30  		// A template containing a single {{.}}.
    31  		input string
    32  		want  []string
    33  	}{
    34  		{
    35  			`<style>{{.}} { color: blue }</style>`,
    36  			[]string{
    37  				`ZgotmplZ`,
    38  				// Allowed but not escaped.
    39  				`a[href =~ "//example.com"]#foo`,
    40  				`ZgotmplZ`,
    41  				`ZgotmplZ`,
    42  				`ZgotmplZ`,
    43  				`ZgotmplZ`,
    44  				`ZgotmplZ`,
    45  				`ZgotmplZ`,
    46  				`ZgotmplZ`,
    47  			},
    48  		},
    49  		{
    50  			`<div style="{{.}}">`,
    51  			[]string{
    52  				`ZgotmplZ`,
    53  				// Allowed and HTML escaped.
    54  				`a[href =~ &#34;//example.com&#34;]#foo`,
    55  				`ZgotmplZ`,
    56  				`ZgotmplZ`,
    57  				`ZgotmplZ`,
    58  				`ZgotmplZ`,
    59  				`ZgotmplZ`,
    60  				`ZgotmplZ`,
    61  				`ZgotmplZ`,
    62  			},
    63  		},
    64  		{
    65  			`{{.}}`,
    66  			[]string{
    67  				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
    68  				`a[href =~ &#34;//example.com&#34;]#foo`,
    69  				// Not escaped.
    70  				`Hello, <b>World</b> &amp;tc!`,
    71  				` dir=&#34;ltr&#34;`,
    72  				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
    73  				`Hello, World &amp; O&#39;Reilly\u0021`,
    74  				`greeting=H%69,&amp;addressee=(World)`,
    75  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
    76  				`,foo/,`,
    77  			},
    78  		},
    79  		{
    80  			`<a{{.}}>`,
    81  			[]string{
    82  				`ZgotmplZ`,
    83  				`ZgotmplZ`,
    84  				`ZgotmplZ`,
    85  				// Allowed and HTML escaped.
    86  				` dir="ltr"`,
    87  				`ZgotmplZ`,
    88  				`ZgotmplZ`,
    89  				`ZgotmplZ`,
    90  				`ZgotmplZ`,
    91  				`ZgotmplZ`,
    92  			},
    93  		},
    94  		{
    95  			`<a title={{.}}>`,
    96  			[]string{
    97  				`&lt;b&gt;&#32;&#34;foo%&#34;&#32;O&#39;Reilly&#32;&amp;bar;`,
    98  				`a[href&#32;&#61;~&#32;&#34;//example.com&#34;]#foo`,
    99  				// Tags stripped, spaces escaped, entity not re-escaped.
   100  				`Hello,&#32;World&#32;&amp;tc!`,
   101  				`&#32;dir&#61;&#34;ltr&#34;`,
   102  				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
   103  				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
   104  				`greeting&#61;H%69,&amp;addressee&#61;(World)`,
   105  				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
   106  				`,foo/,`,
   107  			},
   108  		},
   109  		{
   110  			`<a title='{{.}}'>`,
   111  			[]string{
   112  				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
   113  				`a[href =~ &#34;//example.com&#34;]#foo`,
   114  				// Tags stripped, entity not re-escaped.
   115  				`Hello, World &amp;tc!`,
   116  				` dir=&#34;ltr&#34;`,
   117  				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
   118  				`Hello, World &amp; O&#39;Reilly\u0021`,
   119  				`greeting=H%69,&amp;addressee=(World)`,
   120  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   121  				`,foo/,`,
   122  			},
   123  		},
   124  		{
   125  			`<textarea>{{.}}</textarea>`,
   126  			[]string{
   127  				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
   128  				`a[href =~ &#34;//example.com&#34;]#foo`,
   129  				// Angle brackets escaped to prevent injection of close tags, entity not re-escaped.
   130  				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
   131  				` dir=&#34;ltr&#34;`,
   132  				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
   133  				`Hello, World &amp; O&#39;Reilly\u0021`,
   134  				`greeting=H%69,&amp;addressee=(World)`,
   135  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   136  				`,foo/,`,
   137  			},
   138  		},
   139  		{
   140  			`<script>alert({{.}})</script>`,
   141  			[]string{
   142  				`"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`,
   143  				`"a[href =~ \"//example.com\"]#foo"`,
   144  				`"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`,
   145  				`" dir=\"ltr\""`,
   146  				// Not escaped.
   147  				`c && alert("Hello, World!");`,
   148  				// Escape sequence not over-escaped.
   149  				`"Hello, World & O'Reilly\u0021"`,
   150  				`"greeting=H%69,\u0026addressee=(World)"`,
   151  				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
   152  				`",foo/,"`,
   153  			},
   154  		},
   155  		{
   156  			`<button onclick="alert({{.}})">`,
   157  			[]string{
   158  				`&#34;\u003cb\u003e \&#34;foo%\&#34; O&#39;Reilly \u0026bar;&#34;`,
   159  				`&#34;a[href =~ \&#34;//example.com\&#34;]#foo&#34;`,
   160  				`&#34;Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!&#34;`,
   161  				`&#34; dir=\&#34;ltr\&#34;&#34;`,
   162  				// Not JS escaped but HTML escaped.
   163  				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
   164  				// Escape sequence not over-escaped.
   165  				`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
   166  				`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
   167  				`&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
   168  				`&#34;,foo/,&#34;`,
   169  			},
   170  		},
   171  		{
   172  			`<script>alert("{{.}}")</script>`,
   173  			[]string{
   174  				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
   175  				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
   176  				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
   177  				` dir=\u0022ltr\u0022`,
   178  				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
   179  				// Escape sequence not over-escaped.
   180  				`Hello, World \u0026 O\u0027Reilly\u0021`,
   181  				`greeting=H%69,\u0026addressee=(World)`,
   182  				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
   183  				`,foo\/,`,
   184  			},
   185  		},
   186  		{
   187  			`<script type="text/javascript">alert("{{.}}")</script>`,
   188  			[]string{
   189  				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
   190  				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
   191  				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
   192  				` dir=\u0022ltr\u0022`,
   193  				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
   194  				// Escape sequence not over-escaped.
   195  				`Hello, World \u0026 O\u0027Reilly\u0021`,
   196  				`greeting=H%69,\u0026addressee=(World)`,
   197  				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
   198  				`,foo\/,`,
   199  			},
   200  		},
   201  		{
   202  			`<script type="text/javascript">alert({{.}})</script>`,
   203  			[]string{
   204  				`"\u003cb\u003e \"foo%\" O'Reilly \u0026bar;"`,
   205  				`"a[href =~ \"//example.com\"]#foo"`,
   206  				`"Hello, \u003cb\u003eWorld\u003c/b\u003e \u0026amp;tc!"`,
   207  				`" dir=\"ltr\""`,
   208  				// Not escaped.
   209  				`c && alert("Hello, World!");`,
   210  				// Escape sequence not over-escaped.
   211  				`"Hello, World & O'Reilly\u0021"`,
   212  				`"greeting=H%69,\u0026addressee=(World)"`,
   213  				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
   214  				`",foo/,"`,
   215  			},
   216  		},
   217  		{
   218  			// Not treated as JS. The output is same as for <div>{{.}}</div>
   219  			`<script type="text/template">{{.}}</script>`,
   220  			[]string{
   221  				`&lt;b&gt; &#34;foo%&#34; O&#39;Reilly &amp;bar;`,
   222  				`a[href =~ &#34;//example.com&#34;]#foo`,
   223  				// Not escaped.
   224  				`Hello, <b>World</b> &amp;tc!`,
   225  				` dir=&#34;ltr&#34;`,
   226  				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
   227  				`Hello, World &amp; O&#39;Reilly\u0021`,
   228  				`greeting=H%69,&amp;addressee=(World)`,
   229  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   230  				`,foo/,`,
   231  			},
   232  		},
   233  		{
   234  			`<button onclick='alert("{{.}}")'>`,
   235  			[]string{
   236  				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
   237  				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
   238  				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
   239  				` dir=\u0022ltr\u0022`,
   240  				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
   241  				// Escape sequence not over-escaped.
   242  				`Hello, World \u0026 O\u0027Reilly\u0021`,
   243  				`greeting=H%69,\u0026addressee=(World)`,
   244  				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
   245  				`,foo\/,`,
   246  			},
   247  		},
   248  		{
   249  			`<a href="?q={{.}}">`,
   250  			[]string{
   251  				`%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b`,
   252  				`a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo`,
   253  				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
   254  				`%20dir%3d%22ltr%22`,
   255  				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
   256  				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
   257  				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
   258  				`greeting=H%69,&amp;addressee=%28World%29`,
   259  				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
   260  				`,foo/,`,
   261  			},
   262  		},
   263  		{
   264  			`<style>body { background: url('?img={{.}}') }</style>`,
   265  			[]string{
   266  				`%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b`,
   267  				`a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo`,
   268  				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
   269  				`%20dir%3d%22ltr%22`,
   270  				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
   271  				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
   272  				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
   273  				`greeting=H%69,&addressee=%28World%29`,
   274  				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
   275  				`,foo/,`,
   276  			},
   277  		},
   278  		{
   279  			`<img srcset="{{.}}">`,
   280  			[]string{
   281  				`#ZgotmplZ`,
   282  				`#ZgotmplZ`,
   283  				// Commas are not escaped.
   284  				`Hello,#ZgotmplZ`,
   285  				// Leading spaces are not percent escapes.
   286  				` dir=%22ltr%22`,
   287  				// Spaces after commas are not percent escaped.
   288  				`#ZgotmplZ, World!%22%29;`,
   289  				`Hello,#ZgotmplZ`,
   290  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   291  				// Metadata is not escaped.
   292  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   293  				`%2cfoo/%2c`,
   294  			},
   295  		},
   296  		{
   297  			`<img srcset={{.}}>`,
   298  			[]string{
   299  				`#ZgotmplZ`,
   300  				`#ZgotmplZ`,
   301  				`Hello,#ZgotmplZ`,
   302  				// Spaces are HTML escaped not %-escaped
   303  				`&#32;dir&#61;%22ltr%22`,
   304  				`#ZgotmplZ,&#32;World!%22%29;`,
   305  				`Hello,#ZgotmplZ`,
   306  				`greeting&#61;H%69%2c&amp;addressee&#61;%28World%29`,
   307  				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
   308  				// Commas are escaped.
   309  				`%2cfoo/%2c`,
   310  			},
   311  		},
   312  		{
   313  			`<img srcset="{{.}} 2x, https://golang.org/ 500.5w">`,
   314  			[]string{
   315  				`#ZgotmplZ`,
   316  				`#ZgotmplZ`,
   317  				`Hello,#ZgotmplZ`,
   318  				` dir=%22ltr%22`,
   319  				`#ZgotmplZ, World!%22%29;`,
   320  				`Hello,#ZgotmplZ`,
   321  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   322  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   323  				`%2cfoo/%2c`,
   324  			},
   325  		},
   326  		{
   327  			`<img srcset="http://godoc.org/ {{.}}, https://golang.org/ 500.5w">`,
   328  			[]string{
   329  				`#ZgotmplZ`,
   330  				`#ZgotmplZ`,
   331  				`Hello,#ZgotmplZ`,
   332  				` dir=%22ltr%22`,
   333  				`#ZgotmplZ, World!%22%29;`,
   334  				`Hello,#ZgotmplZ`,
   335  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   336  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   337  				`%2cfoo/%2c`,
   338  			},
   339  		},
   340  		{
   341  			`<img srcset="http://godoc.org/?q={{.}} 2x, https://golang.org/ 500.5w">`,
   342  			[]string{
   343  				`#ZgotmplZ`,
   344  				`#ZgotmplZ`,
   345  				`Hello,#ZgotmplZ`,
   346  				` dir=%22ltr%22`,
   347  				`#ZgotmplZ, World!%22%29;`,
   348  				`Hello,#ZgotmplZ`,
   349  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   350  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   351  				`%2cfoo/%2c`,
   352  			},
   353  		},
   354  		{
   355  			`<img srcset="http://godoc.org/ 2x, {{.}} 500.5w">`,
   356  			[]string{
   357  				`#ZgotmplZ`,
   358  				`#ZgotmplZ`,
   359  				`Hello,#ZgotmplZ`,
   360  				` dir=%22ltr%22`,
   361  				`#ZgotmplZ, World!%22%29;`,
   362  				`Hello,#ZgotmplZ`,
   363  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   364  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   365  				`%2cfoo/%2c`,
   366  			},
   367  		},
   368  		{
   369  			`<img srcset="http://godoc.org/ 2x, https://golang.org/ {{.}}">`,
   370  			[]string{
   371  				`#ZgotmplZ`,
   372  				`#ZgotmplZ`,
   373  				`Hello,#ZgotmplZ`,
   374  				` dir=%22ltr%22`,
   375  				`#ZgotmplZ, World!%22%29;`,
   376  				`Hello,#ZgotmplZ`,
   377  				`greeting=H%69%2c&amp;addressee=%28World%29`,
   378  				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
   379  				`%2cfoo/%2c`,
   380  			},
   381  		},
   382  	}
   383  
   384  	for _, test := range tests {
   385  		tmpl := Must(New("x").Parse(test.input))
   386  		pre := strings.Index(test.input, "{{.}}")
   387  		post := len(test.input) - (pre + 5)
   388  		var b strings.Builder
   389  		for i, x := range data {
   390  			b.Reset()
   391  			if err := tmpl.Execute(&b, x); err != nil {
   392  				t.Errorf("%q with %v: %s", test.input, x, err)
   393  				continue
   394  			}
   395  			if want, got := test.want[i], b.String()[pre:b.Len()-post]; want != got {
   396  				t.Errorf("%q with %v:\nwant\n\t%q,\ngot\n\t%q\n", test.input, x, want, got)
   397  				continue
   398  			}
   399  		}
   400  	}
   401  }
   402  
   403  // Test that we print using the String method. Was issue 3073.
   404  type myStringer struct {
   405  	v int
   406  }
   407  
   408  func (s *myStringer) String() string {
   409  	return fmt.Sprintf("string=%d", s.v)
   410  }
   411  
   412  type errorer struct {
   413  	v int
   414  }
   415  
   416  func (s *errorer) Error() string {
   417  	return fmt.Sprintf("error=%d", s.v)
   418  }
   419  
   420  func TestStringer(t *testing.T) {
   421  	s := &myStringer{3}
   422  	b := new(strings.Builder)
   423  	tmpl := Must(New("x").Parse("{{.}}"))
   424  	if err := tmpl.Execute(b, s); err != nil {
   425  		t.Fatal(err)
   426  	}
   427  	var expect = "string=3"
   428  	if b.String() != expect {
   429  		t.Errorf("expected %q got %q", expect, b.String())
   430  	}
   431  	e := &errorer{7}
   432  	b.Reset()
   433  	if err := tmpl.Execute(b, e); err != nil {
   434  		t.Fatal(err)
   435  	}
   436  	expect = "error=7"
   437  	if b.String() != expect {
   438  		t.Errorf("expected %q got %q", expect, b.String())
   439  	}
   440  }
   441  
   442  // https://golang.org/issue/5982
   443  func TestEscapingNilNonemptyInterfaces(t *testing.T) {
   444  	tmpl := Must(New("x").Parse("{{.E}}"))
   445  
   446  	got := new(bytes.Buffer)
   447  	testData := struct{ E error }{} // any non-empty interface here will do; error is just ready at hand
   448  	tmpl.Execute(got, testData)
   449  
   450  	// A non-empty interface should print like an empty interface.
   451  	want := new(bytes.Buffer)
   452  	data := struct{ E any }{}
   453  	tmpl.Execute(want, data)
   454  
   455  	if !bytes.Equal(want.Bytes(), got.Bytes()) {
   456  		t.Errorf("expected %q got %q", string(want.Bytes()), string(got.Bytes()))
   457  	}
   458  }
   459  

View as plain text