URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [html/] [template/] [css.go] - Blame information for rev 747

Details | Compare with Previous | View Log


// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
 
package template
 
import (
        "bytes"
        "fmt"
        "unicode"
        "unicode/utf8"
)
 
// endsWithCSSKeyword returns whether b ends with an ident that
// case-insensitively matches the lower-case kw.
func endsWithCSSKeyword(b []byte, kw string) bool {
        i := len(b) - len(kw)
        if i < 0 {
                // Too short.
                return false
        }
        if i != 0 {
                r, _ := utf8.DecodeLastRune(b[:i])
                if isCSSNmchar(r) {
                        // Too long.
                        return false
                }
        }
        // Many CSS keywords, such as "!important" can have characters encoded,
        // but the URI production does not allow that according to
        // http://www.w3.org/TR/css3-syntax/#TOK-URI
        // This does not attempt to recognize encoded keywords. For example,
        // given "\75\72\6c" and "url" this return false.
        return string(bytes.ToLower(b[i:])) == kw
}
 
// isCSSNmchar returns whether rune is allowed anywhere in a CSS identifier.
func isCSSNmchar(r rune) bool {
        // Based on the CSS3 nmchar production but ignores multi-rune escape
        // sequences.
        // http://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar
        return 'a' <= r && r <= 'z' ||
                'A' <= r && r <= 'Z' ||
                '0' <= r && r <= '9' ||
                r == '-' ||
                r == '_' ||
                // Non-ASCII cases below.
                0x80 <= r && r <= 0xd7ff ||
                0xe000 <= r && r <= 0xfffd ||
                0x10000 <= r && r <= 0x10ffff
}
 
// decodeCSS decodes CSS3 escapes given a sequence of stringchars.
// If there is no change, it returns the input, otherwise it returns a slice
// backed by a new array.
// http://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
func decodeCSS(s []byte) []byte {
        i := bytes.IndexByte(s, '\\')
        if i == -1 {
                return s
        }
        // The UTF-8 sequence for a codepoint is never longer than 1 + the
        // number hex digits need to represent that codepoint, so len(s) is an
        // upper bound on the output length.
        b := make([]byte, 0, len(s))
        for len(s) != 0 {
                i := bytes.IndexByte(s, '\\')
                if i == -1 {
                        i = len(s)
                }
                b, s = append(b, s[:i]...), s[i:]
                if len(s) < 2 {
                        break
                }
                // http://www.w3.org/TR/css3-syntax/#SUBTOK-escape
                // escape ::= unicode | '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF]
                if isHex(s[1]) {
                        // http://www.w3.org/TR/css3-syntax/#SUBTOK-unicode
                        //   unicode ::= '\' [0-9a-fA-F]{1,6} wc?
                        j := 2
                        for j < len(s) && j < 7 && isHex(s[j]) {
                                j++
                        }
                        r := hexDecode(s[1:j])
                        if r > unicode.MaxRune {
                                r, j = r/16, j-1
                        }
                        n := utf8.EncodeRune(b[len(b):cap(b)], r)
                        // The optional space at the end allows a hex
                        // sequence to be followed by a literal hex.
                        // string(decodeCSS([]byte(`\A B`))) == "\nB"
                        b, s = b[:len(b)+n], skipCSSSpace(s[j:])
                } else {
                        // `\\` decodes to `\` and `\"` to `"`.
                        _, n := utf8.DecodeRune(s[1:])
                        b, s = append(b, s[1:1+n]...), s[1+n:]
                }
        }
        return b
}
 
// isHex returns whether the given character is a hex digit.
func isHex(c byte) bool {
        return '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F'
}
 
// hexDecode decodes a short hex digit sequence: "10" -> 16.
func hexDecode(s []byte) rune {
        n := '\x00'
        for _, c := range s {
                n <<= 4
                switch {
                case '0' <= c && c <= '9':
                        n |= rune(c - '0')
                case 'a' <= c && c <= 'f':
                        n |= rune(c-'a') + 10
                case 'A' <= c && c <= 'F':
                        n |= rune(c-'A') + 10
                default:
                        panic(fmt.Sprintf("Bad hex digit in %q", s))
                }
        }
        return n
}
 
// skipCSSSpace returns a suffix of c, skipping over a single space.
func skipCSSSpace(c []byte) []byte {
        if len(c) == 0 {
                return c
        }
        // wc ::= #x9 | #xA | #xC | #xD | #x20
        switch c[0] {
        case '\t', '\n', '\f', ' ':
                return c[1:]
        case '\r':
                // This differs from CSS3's wc production because it contains a
                // probable spec error whereby wc contains all the single byte
                // sequences in nl (newline) but not CRLF.
                if len(c) >= 2 && c[1] == '\n' {
                        return c[2:]
                }
                return c[1:]
        }
        return c
}
 
// isCSSSpace returns whether b is a CSS space char as defined in wc.
func isCSSSpace(b byte) bool {
        switch b {
        case '\t', '\n', '\f', '\r', ' ':
                return true
        }
        return false
}
 
// cssEscaper escapes HTML and CSS special characters using \+ escapes.
func cssEscaper(args ...interface{}) string {
        s, _ := stringify(args...)
        var b bytes.Buffer
        written := 0
        for i, r := range s {
                var repl string
                switch r {
                case 0:
                        repl = `\0`
                case '\t':
                        repl = `\9`
                case '\n':
                        repl = `\a`
                case '\f':
                        repl = `\c`
                case '\r':
                        repl = `\d`
                // Encode HTML specials as hex so the output can be embedded
                // in HTML attributes without further encoding.
                case '"':
                        repl = `\22`
                case '&':
                        repl = `\26`
                case '\'':
                        repl = `\27`
                case '(':
                        repl = `\28`
                case ')':
                        repl = `\29`
                case '+':
                        repl = `\2b`
                case '/':
                        repl = `\2f`
                case ':':
                        repl = `\3a`
                case ';':
                        repl = `\3b`
                case '<':
                        repl = `\3c`
                case '>':
                        repl = `\3e`
                case '\\':
                        repl = `\\`
                case '{':
                        repl = `\7b`
                case '}':
                        repl = `\7d`
                default:
                        continue
                }
                b.WriteString(s[written:i])
                b.WriteString(repl)
                written = i + utf8.RuneLen(r)
                if repl != `\\` && (written == len(s) || isHex(s[written]) || isCSSSpace(s[written])) {
                        b.WriteByte(' ')
                }
        }
        if written == 0 {
                return s
        }
        b.WriteString(s[written:])
        return b.String()
}
 
var expressionBytes = []byte("expression")
var mozBindingBytes = []byte("mozbinding")
 
// cssValueFilter allows innocuous CSS values in the output including CSS
// quantities (10px or 25%), ID or class literals (#foo, .bar), keyword values
// (inherit, blue), and colors (#888).
// It filters out unsafe values, such as those that affect token boundaries,
// and anything that might execute scripts.
func cssValueFilter(args ...interface{}) string {
        s, t := stringify(args...)
        if t == contentTypeCSS {
                return s
        }
        b, id := decodeCSS([]byte(s)), make([]byte, 0, 64)
 
        // CSS3 error handling is specified as honoring string boundaries per
        // http://www.w3.org/TR/css3-syntax/#error-handling :
        //     Malformed declarations. User agents must handle unexpected
        //     tokens encountered while parsing a declaration by reading until
        //     the end of the declaration, while observing the rules for
        //     matching pairs of (), [], {}, "", and '', and correctly handling
        //     escapes. For example, a malformed declaration may be missing a
        //     property, colon (:) or value.
        // So we need to make sure that values do not have mismatched bracket
        // or quote characters to prevent the browser from restarting parsing
        // inside a string that might embed JavaScript source.
        for i, c := range b {
                switch c {
                case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
                        return filterFailsafe
                case '-':
                        // Disallow .
                        // -- should not appear in valid identifiers.
                        if i != 0 && b[i-1] == '-' {
                                return filterFailsafe
                        }
                default:
                        if c < 0x80 && isCSSNmchar(rune(c)) {
                                id = append(id, c)
                        }
                }
        }
        id = bytes.ToLower(id)
        if bytes.Index(id, expressionBytes) != -1 || bytes.Index(id, mozBindingBytes) != -1 {
                return filterFailsafe
        }
        return string(b)
}

Browse

Tools

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [html/] [template/] [css.go] - Blame information for rev 747

Line No.	Rev	Author	Line
1	747	jeremybenn	`// Copyright 2011 The Go Authors. All rights reserved.`
2			`// Use of this source code is governed by a BSD-style`
3			`// license that can be found in the LICENSE file.`
4
5			`package template`
6
7			`import (`
8			`"bytes"`
9			`"fmt"`
10			`"unicode"`
11			`"unicode/utf8"`
12			`)`
13
14			`// endsWithCSSKeyword returns whether b ends with an ident that`
15			`// case-insensitively matches the lower-case kw.`
16			`func endsWithCSSKeyword(b []byte, kw string) bool {`
17			`i := len(b) - len(kw)`
18			`if i < 0 {`
19			`// Too short.`
20			`return false`
21			`}`
22			`if i != 0 {`
23			`r, _ := utf8.DecodeLastRune(b[:i])`
24			`if isCSSNmchar(r) {`
25			`// Too long.`
26			`return false`
27			`}`
28			`}`
29			`// Many CSS keywords, such as "!important" can have characters encoded,`
30			`// but the URI production does not allow that according to`
31			`// http://www.w3.org/TR/css3-syntax/#TOK-URI`
32			`// This does not attempt to recognize encoded keywords. For example,`
33			`// given "\75\72\6c" and "url" this return false.`
34			`return string(bytes.ToLower(b[i:])) == kw`
35			`}`
36
37			`// isCSSNmchar returns whether rune is allowed anywhere in a CSS identifier.`
38			`func isCSSNmchar(r rune) bool {`
39			`// Based on the CSS3 nmchar production but ignores multi-rune escape`
40			`// sequences.`
41			`// http://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar`
42			`return 'a' <= r && r <= 'z' \|\|`
43			`'A' <= r && r <= 'Z' \|\|`
44			`'0' <= r && r <= '9' \|\|`
45			`r == '-' \|\|`
46			`r == '_' \|\|`
47			`// Non-ASCII cases below.`
48			`0x80 <= r && r <= 0xd7ff \|\|`
49			`0xe000 <= r && r <= 0xfffd \|\|`
50			`0x10000 <= r && r <= 0x10ffff`
51			`}`
52
53			`// decodeCSS decodes CSS3 escapes given a sequence of stringchars.`
54			`// If there is no change, it returns the input, otherwise it returns a slice`
55			`// backed by a new array.`
56			`// http://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.`
57			`func decodeCSS(s []byte) []byte {`
58			`i := bytes.IndexByte(s, '\\')`
59			`if i == -1 {`
60			`return s`
61			`}`
62			`// The UTF-8 sequence for a codepoint is never longer than 1 + the`
63			`// number hex digits need to represent that codepoint, so len(s) is an`
64			`// upper bound on the output length.`
65			`b := make([]byte, 0, len(s))`
66			`for len(s) != 0 {`
67			`i := bytes.IndexByte(s, '\\')`
68			`if i == -1 {`
69			`i = len(s)`
70			`}`
71			`b, s = append(b, s[:i]...), s[i:]`
72			`if len(s) < 2 {`
73			`break`
74			`}`
75			`// http://www.w3.org/TR/css3-syntax/#SUBTOK-escape`
76			`// escape ::= unicode \| '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF]`
77			`if isHex(s[1]) {`
78			`// http://www.w3.org/TR/css3-syntax/#SUBTOK-unicode`
79			`// unicode ::= '\' [0-9a-fA-F]{1,6} wc?`
80			`j := 2`
81			`for j < len(s) && j < 7 && isHex(s[j]) {`
82			`j++`
83			`}`
84			`r := hexDecode(s[1:j])`
85			`if r > unicode.MaxRune {`
86			`r, j = r/16, j-1`
87			`}`
88			`n := utf8.EncodeRune(b[len(b):cap(b)], r)`
89			`// The optional space at the end allows a hex`
90			`// sequence to be followed by a literal hex.`
91			// string(decodeCSS([]byte(`\A B`))) == "\nB"
92			`b, s = b[:len(b)+n], skipCSSSpace(s[j:])`
93			`} else {`
94			// `\\` decodes to `\` and `\"` to `"`.
95			`_, n := utf8.DecodeRune(s[1:])`
96			`b, s = append(b, s[1:1+n]...), s[1+n:]`
97			`}`
98			`}`
99			`return b`
100			`}`
101
102			`// isHex returns whether the given character is a hex digit.`
103			`func isHex(c byte) bool {`
104			`return '0' <= c && c <= '9' \|\| 'a' <= c && c <= 'f' \|\| 'A' <= c && c <= 'F'`
105			`}`
106
107			`// hexDecode decodes a short hex digit sequence: "10" -> 16.`
108			`func hexDecode(s []byte) rune {`
109			`n := '\x00'`
110			`for _, c := range s {`
111			`n <<= 4`
112			`switch {`
113			`case '0' <= c && c <= '9':`
114			`n \|= rune(c - '0')`
115			`case 'a' <= c && c <= 'f':`
116			`n \|= rune(c-'a') + 10`
117			`case 'A' <= c && c <= 'F':`
118			`n \|= rune(c-'A') + 10`
119			`default:`
120			`panic(fmt.Sprintf("Bad hex digit in %q", s))`
121			`}`
122			`}`
123			`return n`
124			`}`
125
126			`// skipCSSSpace returns a suffix of c, skipping over a single space.`
127			`func skipCSSSpace(c []byte) []byte {`
128			`if len(c) == 0 {`
129			`return c`
130			`}`
131			`// wc ::= #x9 \| #xA \| #xC \| #xD \| #x20`
132			`switch c[0] {`
133			`case '\t', '\n', '\f', ' ':`
134			`return c[1:]`
135			`case '\r':`
136			`// This differs from CSS3's wc production because it contains a`
137			`// probable spec error whereby wc contains all the single byte`
138			`// sequences in nl (newline) but not CRLF.`
139			`if len(c) >= 2 && c[1] == '\n' {`
140			`return c[2:]`
141			`}`
142			`return c[1:]`
143			`}`
144			`return c`
145			`}`
146
147			`// isCSSSpace returns whether b is a CSS space char as defined in wc.`
148			`func isCSSSpace(b byte) bool {`
149			`switch b {`
150			`case '\t', '\n', '\f', '\r', ' ':`
151			`return true`
152			`}`
153			`return false`
154			`}`
155
156			`// cssEscaper escapes HTML and CSS special characters using \+ escapes.`
157			`func cssEscaper(args ...interface{}) string {`
158			`s, _ := stringify(args...)`
159			`var b bytes.Buffer`
160			`written := 0`
161			`for i, r := range s {`
162			`var repl string`
163			`switch r {`
164			`case 0:`
165			repl = `\0`
166			`case '\t':`
167			repl = `\9`
168			`case '\n':`
169			repl = `\a`
170			`case '\f':`
171			repl = `\c`
172			`case '\r':`
173			repl = `\d`
174			`// Encode HTML specials as hex so the output can be embedded`
175			`// in HTML attributes without further encoding.`
176			`case '"':`
177			repl = `\22`
178			`case '&':`
179			repl = `\26`
180			`case '\'':`
181			repl = `\27`
182			`case '(':`
183			repl = `\28`
184			`case ')':`
185			repl = `\29`
186			`case '+':`
187			repl = `\2b`
188			`case '/':`
189			repl = `\2f`
190			`case ':':`
191			repl = `\3a`
192			`case ';':`
193			repl = `\3b`
194			`case '<':`
195			repl = `\3c`
196			`case '>':`
197			repl = `\3e`
198			`case '\\':`
199			repl = `\\`
200			`case '{':`
201			repl = `\7b`
202			`case '}':`
203			repl = `\7d`
204			`default:`
205			`continue`
206			`}`
207			`b.WriteString(s[written:i])`
208			`b.WriteString(repl)`
209			`written = i + utf8.RuneLen(r)`
210			if repl != `\\` && (written == len(s) \|\| isHex(s[written]) \|\| isCSSSpace(s[written])) {
211			`b.WriteByte(' ')`
212			`}`
213			`}`
214			`if written == 0 {`
215			`return s`
216			`}`
217			`b.WriteString(s[written:])`
218			`return b.String()`
219			`}`
220
221			`var expressionBytes = []byte("expression")`
222			`var mozBindingBytes = []byte("mozbinding")`
223
224			`// cssValueFilter allows innocuous CSS values in the output including CSS`
225			`// quantities (10px or 25%), ID or class literals (#foo, .bar), keyword values`
226			`// (inherit, blue), and colors (#888).`
227			`// It filters out unsafe values, such as those that affect token boundaries,`
228			`// and anything that might execute scripts.`
229			`func cssValueFilter(args ...interface{}) string {`
230			`s, t := stringify(args...)`
231			`if t == contentTypeCSS {`
232			`return s`
233			`}`
234			`b, id := decodeCSS([]byte(s)), make([]byte, 0, 64)`
235
236			`// CSS3 error handling is specified as honoring string boundaries per`
237			`// http://www.w3.org/TR/css3-syntax/#error-handling :`
238			`// Malformed declarations. User agents must handle unexpected`
239			`// tokens encountered while parsing a declaration by reading until`
240			`// the end of the declaration, while observing the rules for`
241			`// matching pairs of (), [], {}, "", and '', and correctly handling`
242			`// escapes. For example, a malformed declaration may be missing a`
243			`// property, colon (:) or value.`
244			`// So we need to make sure that values do not have mismatched bracket`
245			`// or quote characters to prevent the browser from restarting parsing`
246			`// inside a string that might embed JavaScript source.`
247			`for i, c := range b {`
248			`switch c {`
249			case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
250			`return filterFailsafe`
251			`case '-':`
252			`// Disallow .`
253			`// -- should not appear in valid identifiers.`
254			`if i != 0 && b[i-1] == '-' {`
255			`return filterFailsafe`
256			`}`
257			`default:`
258			`if c < 0x80 && isCSSNmchar(rune(c)) {`
259			`id = append(id, c)`
260			`}`
261			`}`
262			`}`
263			`id = bytes.ToLower(id)`
264			`if bytes.Index(id, expressionBytes) != -1 \|\| bytes.Index(id, mozBindingBytes) != -1 {`
265			`return filterFailsafe`
266			`}`
267			`return string(b)`
268			`}`