Open willfaught opened 1 year ago
cc @golang/security
This is related to #6701 and #12149. The type
expression is meaningful within a <script>
tag, to say what kind of script it is. The error message is confusing, but I'm not sure there is anything to fix here other than perhaps generating a better error message.
CC @robpike
@ianlancetaylor I don't understand how this is related to weird semicolons in markup input or invalid quotations in markup output. What is the correct error message in this case?
While type=""
(or unset type) might equal type="text/javascript"
,
javascript isn't the only allowed type of content in <script>
tags.
("Any other value" in the MDN link you provided).
Different content types require different types of escaping, and with a dynamic value for type=
, it becomes impossible for html/template
to know which sort of escaping (if any) should be applied to the following content.
Different content types require different types of escaping,
When type=module, there's no inner text, so it's not an issue in that case, but I can see how encoding is an issue for language MIME types.
it becomes impossible for html/template to know which sort of escaping (if any) should be applied to the following content
Then shouldn't constructing a dynamic type attribute value with the printf function be disallowed as well? That is currently allowed, at least in Hugo in combination with Hugo's safeHTMLAttr function.
I don't understand how this is related to weird semicolons in markup input or invalid quotations in markup output. What is the correct error message in this case?
I don't know for sure, but perhaps a better error message would be something like "attempt to change script type in conditional context". I don't see how html/template can be expected to correctly handle such a case.
Then shouldn't constructing a dynamic type attribute value with the printf function be disallowed as well? That is currently allowed, at least in Hugo in combination with Hugo's safeHTMLAttr function.
Perhaps I'm missing something, but that seems like an issue with Hugo, not html/template as such.
I don't see how html/template can be expected to correctly handle such a case.
Just spit balling: Would it be possible to evaluate the tag first, then the inner text once the escaping is known? Then type wouldn't have to be special-cased.
Regardless, the behavior is surprising, and it should be explained in the package doc, along with any other special cases, in my opinion.
that seems like an issue with Hugo, not html/template as such.
Hugo uses html/template under the hood. I assume safeHTMLAttr is a normal custom function that html/template allows, but perhaps that's wrong. @jmooring or @bep might know more.
Change https://go.dev/cl/496145 mentions this issue: html/template: example for disallowed script type change
What did you do?
Template:
What did you expect to see?
What did you see instead?
If you remove the condition around the type attribute, or rename type to something else, then there's no error.
Remarks
The <script> type attribute value should be able to be dynamic to substitute in the various valid values for type:
Note that the original template was:
See here for the original context.
This is a valid construct for every other HTML attribute I've ever tried it on.
This issue was already reported in https://github.com/golang/go/issues/57136, however it's clear that the maintainer who closed the issue didn't understand it, as the author explained after it was closed. There was no reply.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
Output