OpenCores
URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [html/] [template/] [content.go] - Rev 761

Go to most recent revision | Compare with Previous | Blame | View Log

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package template

import (
        "fmt"
        "reflect"
)

// Strings of content from a trusted source.
type (
        // CSS encapsulates known safe content that matches any of:
        //   1. The CSS3 stylesheet production, such as `p { color: purple }`.
        //   2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
        //   3. CSS3 declaration productions, such as `color: red; margin: 2px`.
        //   4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.
        // See http://www.w3.org/TR/css3-syntax/#style
        CSS string

        // HTML encapsulates a known safe HTML document fragment.
        // It should not be used for HTML from a third-party, or HTML with
        // unclosed tags or comments. The outputs of a sound HTML sanitizer
        // and a template escaped by this package are fine for use with HTML.
        HTML string

        // HTMLAttr encapsulates an HTML attribute from a trusted source,
        // for example: ` dir="ltr"`.
        HTMLAttr string

        // JS encapsulates a known safe EcmaScript5 Expression, or example,
        // `(x + y * z())`. 
        // Template authors are responsible for ensuring that typed expressions
        // do not break the intended precedence and that there is no
        // statement/expression ambiguity as when passing an expression like
        // "{ foo: bar() }\n['foo']()", which is both a valid Expression and a
        // valid Program with a very different meaning.
        JS string

        // JSStr encapsulates a sequence of characters meant to be embedded
        // between quotes in a JavaScript expression.
        // The string must match a series of StringCharacters:
        //   StringCharacter :: SourceCharacter but not `\` or LineTerminator
        //                    | EscapeSequence
        // Note that LineContinuations are not allowed.
        // JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not.
        JSStr string

        // URL encapsulates a known safe URL as defined in RFC 3896.
        // A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()`
        // from a trusted source should go in the page, but by default dynamic
        // `javascript:` URLs are filtered out since they are a frequently
        // exploited injection vector.
        URL string
)

type contentType uint8

const (
        contentTypePlain contentType = iota
        contentTypeCSS
        contentTypeHTML
        contentTypeHTMLAttr
        contentTypeJS
        contentTypeJSStr
        contentTypeURL
        // contentTypeUnsafe is used in attr.go for values that affect how
        // embedded content and network messages are formed, vetted,
        // or interpreted; or which credentials network messages carry.
        contentTypeUnsafe
)

// indirect returns the value, after dereferencing as many times
// as necessary to reach the base type (or nil).
func indirect(a interface{}) interface{} {
        if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr {
                // Avoid creating a reflect.Value if it's not a pointer.
                return a
        }
        v := reflect.ValueOf(a)
        for v.Kind() == reflect.Ptr && !v.IsNil() {
                v = v.Elem()
        }
        return v.Interface()
}

// stringify converts its arguments to a string and the type of the content.
// All pointers are dereferenced, as in the text/template package.
func stringify(args ...interface{}) (string, contentType) {
        if len(args) == 1 {
                switch s := indirect(args[0]).(type) {
                case string:
                        return s, contentTypePlain
                case CSS:
                        return string(s), contentTypeCSS
                case HTML:
                        return string(s), contentTypeHTML
                case HTMLAttr:
                        return string(s), contentTypeHTMLAttr
                case JS:
                        return string(s), contentTypeJS
                case JSStr:
                        return string(s), contentTypeJSStr
                case URL:
                        return string(s), contentTypeURL
                }
        }
        for i, arg := range args {
                args[i] = indirect(arg)
        }
        return fmt.Sprint(args...), contentTypePlain
}

Go to most recent revision | Compare with Previous | Blame | View Log

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.