Escape Attr values (#77)
Because this can be a place of injection if untrusted data is passed, escape all attribute values. Fixes #74.
This commit is contained in:
parent
ac7471aac6
commit
3e9e00ca0d
@ -160,7 +160,7 @@ func (a *attr) Render(w io.Writer) error {
|
||||
_, err := w.Write([]byte(" " + a.name))
|
||||
return err
|
||||
}
|
||||
_, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`))
|
||||
_, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`))
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -54,6 +54,11 @@ func TestAttr(t *testing.T) {
|
||||
t.FailNow()
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("escapes attribute values", func(t *testing.T) {
|
||||
a := g.Attr(`id`, `hat"><script`)
|
||||
assert.Equal(t, ` id="hat"><script"`, a)
|
||||
})
|
||||
}
|
||||
|
||||
func BenchmarkAttr(b *testing.B) {
|
||||
@ -132,6 +137,15 @@ func TestEl(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func BenchmarkEl(b *testing.B) {
|
||||
b.Run("normal elements", func(b *testing.B) {
|
||||
for i := 0; i < b.N; i++ {
|
||||
e := g.El("div")
|
||||
_ = e.Render(&strings.Builder{})
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
type erroringWriter struct{}
|
||||
|
||||
func (w *erroringWriter) Write(p []byte) (n int, err error) {
|
||||
|
Loading…
Reference in New Issue
Block a user