diff options
Diffstat (limited to 'src/pkg/exp/template/html/escape_test.go')
-rw-r--r-- | src/pkg/exp/template/html/escape_test.go | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/pkg/exp/template/html/escape_test.go b/src/pkg/exp/template/html/escape_test.go index b57a202f8f..b3bd94d66b 100644 --- a/src/pkg/exp/template/html/escape_test.go +++ b/src/pkg/exp/template/html/escape_test.go @@ -396,6 +396,21 @@ func TestEscape(t *testing.T) { "{{range .A}}{{. | noescape}}{{end}}", "<a><b>", }, + { + "No tag injection", + `{{"10$"}}<{{"script src,evil.org/pwnd.js"}}...`, + `10$<script src,evil.org/pwnd.js...`, + }, + { + "No comment injection", + `<{{"!--"}}`, + `<!--`, + }, + { + "No RCDATA end tag injection", + `<textarea><{{"/textarea "}}...</textarea>`, + `<textarea></textarea ...</textarea>`, + }, } for _, test := range tests { @@ -1136,8 +1151,8 @@ func TestEscapeText(t *testing.T) { } for _, test := range tests { - b, e := []byte(test.input), escaper{} - c := e.escapeText(context{}, b) + b, e := []byte(test.input), newEscaper(nil) + c := e.escapeText(context{}, &parse.TextNode{parse.NodeText, b}) if !test.output.eq(c) { t.Errorf("input %q: want context\n\t%v\ngot\n\t%v", test.input, test.output, c) continue |