OpenCores
URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [html/] [template/] [content.go] - Blame information for rev 801

Go to most recent revision | Details | Compare with Previous | View Log

Line No. Rev Author Line
1 747 jeremybenn
// Copyright 2011 The Go Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
4
 
5
package template
6
 
7
import (
8
        "fmt"
9
        "reflect"
10
)
11
 
12
// Strings of content from a trusted source.
13
type (
14
        // CSS encapsulates known safe content that matches any of:
15
        //   1. The CSS3 stylesheet production, such as `p { color: purple }`.
16
        //   2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
17
        //   3. CSS3 declaration productions, such as `color: red; margin: 2px`.
18
        //   4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.
19
        // See http://www.w3.org/TR/css3-syntax/#style
20
        CSS string
21
 
22
        // HTML encapsulates a known safe HTML document fragment.
23
        // It should not be used for HTML from a third-party, or HTML with
24
        // unclosed tags or comments. The outputs of a sound HTML sanitizer
25
        // and a template escaped by this package are fine for use with HTML.
26
        HTML string
27
 
28
        // HTMLAttr encapsulates an HTML attribute from a trusted source,
29
        // for example: ` dir="ltr"`.
30
        HTMLAttr string
31
 
32
        // JS encapsulates a known safe EcmaScript5 Expression, or example,
33
        // `(x + y * z())`.
34
        // Template authors are responsible for ensuring that typed expressions
35
        // do not break the intended precedence and that there is no
36
        // statement/expression ambiguity as when passing an expression like
37
        // "{ foo: bar() }\n['foo']()", which is both a valid Expression and a
38
        // valid Program with a very different meaning.
39
        JS string
40
 
41
        // JSStr encapsulates a sequence of characters meant to be embedded
42
        // between quotes in a JavaScript expression.
43
        // The string must match a series of StringCharacters:
44
        //   StringCharacter :: SourceCharacter but not `\` or LineTerminator
45
        //                    | EscapeSequence
46
        // Note that LineContinuations are not allowed.
47
        // JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not.
48
        JSStr string
49
 
50
        // URL encapsulates a known safe URL as defined in RFC 3896.
51
        // A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()`
52
        // from a trusted source should go in the page, but by default dynamic
53
        // `javascript:` URLs are filtered out since they are a frequently
54
        // exploited injection vector.
55
        URL string
56
)
57
 
58
type contentType uint8
59
 
60
const (
61
        contentTypePlain contentType = iota
62
        contentTypeCSS
63
        contentTypeHTML
64
        contentTypeHTMLAttr
65
        contentTypeJS
66
        contentTypeJSStr
67
        contentTypeURL
68
        // contentTypeUnsafe is used in attr.go for values that affect how
69
        // embedded content and network messages are formed, vetted,
70
        // or interpreted; or which credentials network messages carry.
71
        contentTypeUnsafe
72
)
73
 
74
// indirect returns the value, after dereferencing as many times
75
// as necessary to reach the base type (or nil).
76
func indirect(a interface{}) interface{} {
77
        if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr {
78
                // Avoid creating a reflect.Value if it's not a pointer.
79
                return a
80
        }
81
        v := reflect.ValueOf(a)
82
        for v.Kind() == reflect.Ptr && !v.IsNil() {
83
                v = v.Elem()
84
        }
85
        return v.Interface()
86
}
87
 
88
// stringify converts its arguments to a string and the type of the content.
89
// All pointers are dereferenced, as in the text/template package.
90
func stringify(args ...interface{}) (string, contentType) {
91
        if len(args) == 1 {
92
                switch s := indirect(args[0]).(type) {
93
                case string:
94
                        return s, contentTypePlain
95
                case CSS:
96
                        return string(s), contentTypeCSS
97
                case HTML:
98
                        return string(s), contentTypeHTML
99
                case HTMLAttr:
100
                        return string(s), contentTypeHTMLAttr
101
                case JS:
102
                        return string(s), contentTypeJS
103
                case JSStr:
104
                        return string(s), contentTypeJSStr
105
                case URL:
106
                        return string(s), contentTypeURL
107
                }
108
        }
109
        for i, arg := range args {
110
                args[i] = indirect(arg)
111
        }
112
        return fmt.Sprint(args...), contentTypePlain
113
}

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.