exp/template/html: don't normalize '<' in doctypes.

The normalization that prevents element name and comment injection in <{{.}} by converting it to <{{.}} breaks <!DOCTYPE html> Instead of splitting states to have a start of document state and a text state, I whitelist <!DOCTYPE. R=nigeltao CC=golang-dev https://golang.org/cl/5131051
2024-09-29 22:37:06 +00:00 · 2011-09-28 13:32:56 -07:00 · 2011-09-28 13:32:56 -07:00 · 582bb30466
commit 582bb30466
parent 9aae6482f4
2 changed files with 13 additions and 1 deletions
--- a/src/pkg/exp/template/html/escape.go
+++ b/src/pkg/exp/template/html/escape.go
@ -549,6 +549,8 @@ var delimEnds = [...]string{
 	delimSpaceOrTagEnd: " \t\n\f\r>",
 }

+var doctypeBytes = []byte("<!DOCTYPE")
+
 // escapeText escapes a text template node.
 func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 	s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
@ -566,7 +568,7 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
 				}
 			}
 			for j := i; j < end; j++ {
-				if s[j] == '<' {
+				if s[j] == '<' && !bytes.HasPrefix(s[j:], doctypeBytes) {
 					b.Write(s[written:j])
 					b.WriteString("&lt;")
 					written = j + 1
--- a/src/pkg/exp/template/html/escape_test.go
+++ b/src/pkg/exp/template/html/escape_test.go
@ -420,6 +420,16 @@ func TestEscape(t *testing.T) {
 			"a<<!-- --><!-- -->b",
 			"a&lt;b",
 		},
+		{
+			"HTML doctype not normalized",
+			"<!DOCTYPE html>Hello, World!",
+			"<!DOCTYPE html>Hello, World!",
+		},
+		{
+			"No doctype injection",
+			`<!{{"DOCTYPE"}}`,
+			"&lt;!DOCTYPE",
+		},
 		{
 			"Split HTML comment",
 			"<b>Hello, <!-- name of {{if .T}}city -->{{.C}}{{else}}world -->{{.W}}{{end}}</b>",