FAQ
I am trying to pass known-safe data (the string literal "/value") into a
Javascript string within a template. Even when I "no-escape" this string by
converting it to type template.JSString, however, it still becomes escaped.
In the example below, I expect the output to be:

{key: "/value",}

However, the actual output has a preceding backslash:

{key: "\/value",}

A program that demonstrates this issue is below. Any ideas on what I'm
doing wrongly here?

http://play.golang.org/p/CzimCt2sqF

Thanks!

James

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Rob Pike at Apr 29, 2013 at 11:16 pm
    Here is a simpler version of the program: http://play.golang.org/p/ofD78EX10D

    From reading the template implementation source, the only difference
    in encoding between a regular string and a JSStr is that the latter
    does nothing special with backslashes, a detail irrelevant to your
    code. I'm pretty sure JSStr is not what you want: it guarantees
    safety, it does not require it. I leave the resolution to JavaScript
    experts, a set that does not include me.

    -rob

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Andy Balholm at Apr 29, 2013 at 11:38 pm
    Interestingly, it works if you leave off the
    quotes: http://play.golang.org/p/EmlRqP6Evl

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Rob Pike at Apr 29, 2013 at 11:50 pm
    Oh yes, of course.

    -rob

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • James Pirruccello at Apr 30, 2013 at 1:21 am
    Passing the bare value without quotes solves my problem; thanks!

    I can see where some of this behavior is happening in the source: http://golang.org/src/pkg/html/template/js.go#L142
    and http://golang.org/src/pkg/html/template/js.go#L273

    In the end I think the template package is doing the right thing here, and
    I hadn't fully wrapped my head around the task it was undertaking.

    Thanks for digging through this.

    - James

    On Monday, April 29, 2013 7:50:23 PM UTC-4, Rob Pike wrote:

    Oh yes, of course.

    -rob
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Minux at May 1, 2013 at 7:16 pm

    On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello wrote:

    I am trying to pass known-safe data (the string literal "/value") into a
    Javascript string within a template. Even when I "no-escape" this string by
    converting it to type template.JSString, however, it still becomes escaped.
    In the example below, I expect the output to be:

    {key: "/value",}

    However, the actual output has a preceding backslash:

    {key: "\/value",}

    A program that demonstrates this issue is below. Any ideas on what I'm
    doing wrongly here?

    http://play.golang.org/p/CzimCt2sqF
    Although i don't know why, this seems to be intentional.
    http://tip.golang.org/src/pkg/html/template/js.go#L307

    ps: according to ECMAScript standard, "\/" means the same as "/", so this
    template/html behavior is valid.

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Nick Thompson at May 2, 2013 at 11:11 pm
    The "\/" quoting avoids at least one XSS. This line is valid ECMAScript:

    var s = "</script><script>alert('pwned!');</script>";

    But if you embed that statement in HTML you have a problem: HTML doesn't
    know about JS string syntax, and the </script> will be interpreted as HTML.
    "<\/script>" is equivalent from the JS perspective, but it dodges the HTML
    parser.

    Nick


    On Wed, May 1, 2013 at 12:16 PM, minux wrote:



    On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello <
    james.pirruccello@gmail.com> wrote:
    I am trying to pass known-safe data (the string literal "/value") into a
    Javascript string within a template. Even when I "no-escape" this string by
    converting it to type template.JSString, however, it still becomes escaped.
    In the example below, I expect the output to be:

    {key: "/value",}

    However, the actual output has a preceding backslash:

    {key: "\/value",}

    A program that demonstrates this issue is below. Any ideas on what I'm
    doing wrongly here?

    http://play.golang.org/p/CzimCt2sqF
    Although i don't know why, this seems to be intentional.
    http://tip.golang.org/src/pkg/html/template/js.go#L307

    ps: according to ECMAScript standard, "\/" means the same as "/", so this
    template/html behavior is valid.

    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Minux at May 3, 2013 at 8:30 am

    On Fri, May 3, 2013 at 4:20 AM, Nick Thompson wrote:

    The "\/" quoting avoids at least one XSS. This line is valid ECMAScript:
    Great. Thank you for explanation!
    var s = "</script><script>alert('pwned!');</script>";

    But if you embed that statement in HTML you have a problem: HTML doesn't
    know about JS string syntax, and the </script> will be interpreted as HTML.
    "<\/script>" is equivalent from the JS perspective, but it dodges the HTML
    parser.
    On Wed, May 1, 2013 at 12:16 PM, minux wrote:



    On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello <
    james.pirruccello@gmail.com> wrote:
    I am trying to pass known-safe data (the string literal "/value") into a
    Javascript string within a template. Even when I "no-escape" this string by
    converting it to type template.JSString, however, it still becomes escaped.
    In the example below, I expect the output to be:

    {key: "/value",}

    However, the actual output has a preceding backslash:

    {key: "\/value",}

    A program that demonstrates this issue is below. Any ideas on what I'm
    doing wrongly here?

    http://play.golang.org/p/CzimCt2sqF
    Although i don't know why, this seems to be intentional.
    http://tip.golang.org/src/pkg/html/template/js.go#L307

    ps: according to ECMAScript standard, "\/" means the same as "/", so this
    template/html behavior is valid.

    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedApr 29, '13 at 11:01p
activeMay 3, '13 at 8:30a
posts8
users5
websitegolang.org

People

Translate

site design / logo © 2022 Grokbase