...

Source file src/html/template/css.go

     1	// Copyright 2011 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package template
     6	
     7	import (
     8		"bytes"
     9		"fmt"
    10		"strings"
    11		"unicode"
    12		"unicode/utf8"
    13	)
    14	
    15	// endsWithCSSKeyword reports whether b ends with an ident that
    16	// case-insensitively matches the lower-case kw.
    17	func endsWithCSSKeyword(b []byte, kw string) bool {
    18		i := len(b) - len(kw)
    19		if i < 0 {
    20			// Too short.
    21			return false
    22		}
    23		if i != 0 {
    24			r, _ := utf8.DecodeLastRune(b[:i])
    25			if isCSSNmchar(r) {
    26				// Too long.
    27				return false
    28			}
    29		}
    30		// Many CSS keywords, such as "!important" can have characters encoded,
    31		// but the URI production does not allow that according to
    32		// https://www.w3.org/TR/css3-syntax/#TOK-URI
    33		// This does not attempt to recognize encoded keywords. For example,
    34		// given "\75\72\6c" and "url" this return false.
    35		return string(bytes.ToLower(b[i:])) == kw
    36	}
    37	
    38	// isCSSNmchar reports whether rune is allowed anywhere in a CSS identifier.
    39	func isCSSNmchar(r rune) bool {
    40		// Based on the CSS3 nmchar production but ignores multi-rune escape
    41		// sequences.
    42		// https://www.w3.org/TR/css3-syntax/#SUBTOK-nmchar
    43		return 'a' <= r && r <= 'z' ||
    44			'A' <= r && r <= 'Z' ||
    45			'0' <= r && r <= '9' ||
    46			r == '-' ||
    47			r == '_' ||
    48			// Non-ASCII cases below.
    49			0x80 <= r && r <= 0xd7ff ||
    50			0xe000 <= r && r <= 0xfffd ||
    51			0x10000 <= r && r <= 0x10ffff
    52	}
    53	
    54	// decodeCSS decodes CSS3 escapes given a sequence of stringchars.
    55	// If there is no change, it returns the input, otherwise it returns a slice
    56	// backed by a new array.
    57	// https://www.w3.org/TR/css3-syntax/#SUBTOK-stringchar defines stringchar.
    58	func decodeCSS(s []byte) []byte {
    59		i := bytes.IndexByte(s, '\\')
    60		if i == -1 {
    61			return s
    62		}
    63		// The UTF-8 sequence for a codepoint is never longer than 1 + the
    64		// number hex digits need to represent that codepoint, so len(s) is an
    65		// upper bound on the output length.
    66		b := make([]byte, 0, len(s))
    67		for len(s) != 0 {
    68			i := bytes.IndexByte(s, '\\')
    69			if i == -1 {
    70				i = len(s)
    71			}
    72			b, s = append(b, s[:i]...), s[i:]
    73			if len(s) < 2 {
    74				break
    75			}
    76			// https://www.w3.org/TR/css3-syntax/#SUBTOK-escape
    77			// escape ::= unicode | '\' [#x20-#x7E#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF]
    78			if isHex(s[1]) {
    79				// https://www.w3.org/TR/css3-syntax/#SUBTOK-unicode
    80				//   unicode ::= '\' [0-9a-fA-F]{1,6} wc?
    81				j := 2
    82				for j < len(s) && j < 7 && isHex(s[j]) {
    83					j++
    84				}
    85				r := hexDecode(s[1:j])
    86				if r > unicode.MaxRune {
    87					r, j = r/16, j-1
    88				}
    89				n := utf8.EncodeRune(b[len(b):cap(b)], r)
    90				// The optional space at the end allows a hex
    91				// sequence to be followed by a literal hex.
    92				// string(decodeCSS([]byte(`\A B`))) == "\nB"
    93				b, s = b[:len(b)+n], skipCSSSpace(s[j:])
    94			} else {
    95				// `\\` decodes to `\` and `\"` to `"`.
    96				_, n := utf8.DecodeRune(s[1:])
    97				b, s = append(b, s[1:1+n]...), s[1+n:]
    98			}
    99		}
   100		return b
   101	}
   102	
   103	// isHex reports whether the given character is a hex digit.
   104	func isHex(c byte) bool {
   105		return '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F'
   106	}
   107	
   108	// hexDecode decodes a short hex digit sequence: "10" -> 16.
   109	func hexDecode(s []byte) rune {
   110		n := '\x00'
   111		for _, c := range s {
   112			n <<= 4
   113			switch {
   114			case '0' <= c && c <= '9':
   115				n |= rune(c - '0')
   116			case 'a' <= c && c <= 'f':
   117				n |= rune(c-'a') + 10
   118			case 'A' <= c && c <= 'F':
   119				n |= rune(c-'A') + 10
   120			default:
   121				panic(fmt.Sprintf("Bad hex digit in %q", s))
   122			}
   123		}
   124		return n
   125	}
   126	
   127	// skipCSSSpace returns a suffix of c, skipping over a single space.
   128	func skipCSSSpace(c []byte) []byte {
   129		if len(c) == 0 {
   130			return c
   131		}
   132		// wc ::= #x9 | #xA | #xC | #xD | #x20
   133		switch c[0] {
   134		case '\t', '\n', '\f', ' ':
   135			return c[1:]
   136		case '\r':
   137			// This differs from CSS3's wc production because it contains a
   138			// probable spec error whereby wc contains all the single byte
   139			// sequences in nl (newline) but not CRLF.
   140			if len(c) >= 2 && c[1] == '\n' {
   141				return c[2:]
   142			}
   143			return c[1:]
   144		}
   145		return c
   146	}
   147	
   148	// isCSSSpace reports whether b is a CSS space char as defined in wc.
   149	func isCSSSpace(b byte) bool {
   150		switch b {
   151		case '\t', '\n', '\f', '\r', ' ':
   152			return true
   153		}
   154		return false
   155	}
   156	
   157	// cssEscaper escapes HTML and CSS special characters using \<hex>+ escapes.
   158	func cssEscaper(args ...interface{}) string {
   159		s, _ := stringify(args...)
   160		var b strings.Builder
   161		r, w, written := rune(0), 0, 0
   162		for i := 0; i < len(s); i += w {
   163			// See comment in htmlEscaper.
   164			r, w = utf8.DecodeRuneInString(s[i:])
   165			var repl string
   166			switch {
   167			case int(r) < len(cssReplacementTable) && cssReplacementTable[r] != "":
   168				repl = cssReplacementTable[r]
   169			default:
   170				continue
   171			}
   172			if written == 0 {
   173				b.Grow(len(s))
   174			}
   175			b.WriteString(s[written:i])
   176			b.WriteString(repl)
   177			written = i + w
   178			if repl != `\\` && (written == len(s) || isHex(s[written]) || isCSSSpace(s[written])) {
   179				b.WriteByte(' ')
   180			}
   181		}
   182		if written == 0 {
   183			return s
   184		}
   185		b.WriteString(s[written:])
   186		return b.String()
   187	}
   188	
   189	var cssReplacementTable = []string{
   190		0:    `\0`,
   191		'\t': `\9`,
   192		'\n': `\a`,
   193		'\f': `\c`,
   194		'\r': `\d`,
   195		// Encode HTML specials as hex so the output can be embedded
   196		// in HTML attributes without further encoding.
   197		'"':  `\22`,
   198		'&':  `\26`,
   199		'\'': `\27`,
   200		'(':  `\28`,
   201		')':  `\29`,
   202		'+':  `\2b`,
   203		'/':  `\2f`,
   204		':':  `\3a`,
   205		';':  `\3b`,
   206		'<':  `\3c`,
   207		'>':  `\3e`,
   208		'\\': `\\`,
   209		'{':  `\7b`,
   210		'}':  `\7d`,
   211	}
   212	
   213	var expressionBytes = []byte("expression")
   214	var mozBindingBytes = []byte("mozbinding")
   215	
   216	// cssValueFilter allows innocuous CSS values in the output including CSS
   217	// quantities (10px or 25%), ID or class literals (#foo, .bar), keyword values
   218	// (inherit, blue), and colors (#888).
   219	// It filters out unsafe values, such as those that affect token boundaries,
   220	// and anything that might execute scripts.
   221	func cssValueFilter(args ...interface{}) string {
   222		s, t := stringify(args...)
   223		if t == contentTypeCSS {
   224			return s
   225		}
   226		b, id := decodeCSS([]byte(s)), make([]byte, 0, 64)
   227	
   228		// CSS3 error handling is specified as honoring string boundaries per
   229		// https://www.w3.org/TR/css3-syntax/#error-handling :
   230		//     Malformed declarations. User agents must handle unexpected
   231		//     tokens encountered while parsing a declaration by reading until
   232		//     the end of the declaration, while observing the rules for
   233		//     matching pairs of (), [], {}, "", and '', and correctly handling
   234		//     escapes. For example, a malformed declaration may be missing a
   235		//     property, colon (:) or value.
   236		// So we need to make sure that values do not have mismatched bracket
   237		// or quote characters to prevent the browser from restarting parsing
   238		// inside a string that might embed JavaScript source.
   239		for i, c := range b {
   240			switch c {
   241			case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
   242				return filterFailsafe
   243			case '-':
   244				// Disallow <!-- or -->.
   245				// -- should not appear in valid identifiers.
   246				if i != 0 && b[i-1] == '-' {
   247					return filterFailsafe
   248				}
   249			default:
   250				if c < utf8.RuneSelf && isCSSNmchar(rune(c)) {
   251					id = append(id, c)
   252				}
   253			}
   254		}
   255		id = bytes.ToLower(id)
   256		if bytes.Contains(id, expressionBytes) || bytes.Contains(id, mozBindingBytes) {
   257			return filterFailsafe
   258		}
   259		return string(b)
   260	}
   261

View as plain text