diff options
| author | Markus Wüstenberg | 2021-05-18 14:21:53 +0200 |
|---|---|---|
| committer | GitHub | 2021-05-18 14:21:53 +0200 |
| commit | 3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b (patch) | |
| tree | 38b6bfce3f282cd2c758687aaa88fdda88a9f661 | |
| parent | ac7471aac69fcb4e9cd460dae39b0183ec3d10df (diff) | |
| download | gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.lz gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.tar.zst gomponents-3e9e00ca0dc6b58e58694d84c97a1d2f2ab4002b.zip | |
Escape Attr values (#77)
Because this can be a place of injection if untrusted data is passed, escape all attribute values. Fixes #74.
| -rw-r--r-- | gomponents.go | 2 | ||||
| -rw-r--r-- | gomponents_test.go | 14 |
2 files changed, 15 insertions, 1 deletions
diff --git a/gomponents.go b/gomponents.go index a8b0f95..9cf4297 100644 --- a/gomponents.go +++ b/gomponents.go @@ -160,7 +160,7 @@ func (a *attr) Render(w io.Writer) error { _, err := w.Write([]byte(" " + a.name)) return err } - _, err := w.Write([]byte(" " + a.name + `="` + *a.value + `"`)) + _, err := w.Write([]byte(" " + a.name + `="` + template.HTMLEscapeString(*a.value) + `"`)) return err } diff --git a/gomponents_test.go b/gomponents_test.go index c88a796..dffa64c 100644 --- a/gomponents_test.go +++ b/gomponents_test.go @@ -54,6 +54,11 @@ func TestAttr(t *testing.T) { t.FailNow() } }) + + t.Run("escapes attribute values", func(t *testing.T) { + a := g.Attr(`id`, `hat"><script`) + assert.Equal(t, ` id="hat"><script"`, a) + }) } func BenchmarkAttr(b *testing.B) { @@ -132,6 +137,15 @@ func TestEl(t *testing.T) { }) } +func BenchmarkEl(b *testing.B) { + b.Run("normal elements", func(b *testing.B) { + for i := 0; i < b.N; i++ { + e := g.El("div") + _ = e.Render(&strings.Builder{}) + } + }) +} + type erroringWriter struct{} func (w *erroringWriter) Write(p []byte) (n int, err error) { |