src/pkg/html/template/escape.go - The Go Programming Language

Golang

Source file src/pkg/html/template/escape.go

     1	// Copyright 2011 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package template
     6	
     7	import (
     8		"bytes"
     9		"fmt"
    10		"html"
    11		"io"
    12		"text/template"
    13		"text/template/parse"
    14	)
    15	
    16	// escapeTemplates rewrites the named templates, which must be
    17	// associated with t, to guarantee that the output of any of the named
    18	// templates is properly escaped.  Names should include the names of
    19	// all templates that might be Executed but need not include helper
    20	// templates.  If no error is returned, then the named templates have
    21	// been modified.  Otherwise the named templates have been rendered
    22	// unusable.
    23	func escapeTemplates(tmpl *Template, names ...string) error {
    24		e := newEscaper(tmpl)
    25		for _, name := range names {
    26			c, _ := e.escapeTree(context{}, name, 0)
    27			var err error
    28			if c.err != nil {
    29				err, c.err.Name = c.err, name
    30			} else if c.state != stateText {
    31				err = &Error{ErrEndContext, name, 0, fmt.Sprintf("ends in a non-text context: %v", c)}
    32			}
    33			if err != nil {
    34				// Prevent execution of unsafe templates.
    35				for _, name := range names {
    36					if t := tmpl.set[name]; t != nil {
    37						t.text.Tree = nil
    38					}
    39				}
    40				return err
    41			}
    42			tmpl.escaped = true
    43		}
    44		e.commit()
    45		return nil
    46	}
    47	
    48	// funcMap maps command names to functions that render their inputs safe.
    49	var funcMap = template.FuncMap{
    50		"html_template_attrescaper":     attrEscaper,
    51		"html_template_commentescaper":  commentEscaper,
    52		"html_template_cssescaper":      cssEscaper,
    53		"html_template_cssvaluefilter":  cssValueFilter,
    54		"html_template_htmlnamefilter":  htmlNameFilter,
    55		"html_template_htmlescaper":     htmlEscaper,
    56		"html_template_jsregexpescaper": jsRegexpEscaper,
    57		"html_template_jsstrescaper":    jsStrEscaper,
    58		"html_template_jsvalescaper":    jsValEscaper,
    59		"html_template_nospaceescaper":  htmlNospaceEscaper,
    60		"html_template_rcdataescaper":   rcdataEscaper,
    61		"html_template_urlescaper":      urlEscaper,
    62		"html_template_urlfilter":       urlFilter,
    63		"html_template_urlnormalizer":   urlNormalizer,
    64	}
    65	
    66	// equivEscapers matches contextual escapers to equivalent template builtins.
    67	var equivEscapers = map[string]string{
    68		"html_template_attrescaper":    "html",
    69		"html_template_htmlescaper":    "html",
    70		"html_template_nospaceescaper": "html",
    71		"html_template_rcdataescaper":  "html",
    72		"html_template_urlescaper":     "urlquery",
    73		"html_template_urlnormalizer":  "urlquery",
    74	}
    75	
    76	// escaper collects type inferences about templates and changes needed to make
    77	// templates injection safe.
    78	type escaper struct {
    79		tmpl *Template
    80		// output[templateName] is the output context for a templateName that
    81		// has been mangled to include its input context.
    82		output map[string]context
    83		// derived[c.mangle(name)] maps to a template derived from the template
    84		// named name templateName for the start context c.
    85		derived map[string]*template.Template
    86		// called[templateName] is a set of called mangled template names.
    87		called map[string]bool
    88		// xxxNodeEdits are the accumulated edits to apply during commit.
    89		// Such edits are not applied immediately in case a template set
    90		// executes a given template in different escaping contexts.
    91		actionNodeEdits   map[*parse.ActionNode][]string
    92		templateNodeEdits map[*parse.TemplateNode]string
    93		textNodeEdits     map[*parse.TextNode][]byte
    94	}
    95	
    96	// newEscaper creates a blank escaper for the given set.
    97	func newEscaper(t *Template) *escaper {
    98		return &escaper{
    99			t,
   100			map[string]context{},
   101			map[string]*template.Template{},
   102			map[string]bool{},
   103			map[*parse.ActionNode][]string{},
   104			map[*parse.TemplateNode]string{},
   105			map[*parse.TextNode][]byte{},
   106		}
   107	}
   108	
   109	// filterFailsafe is an innocuous word that is emitted in place of unsafe values
   110	// by sanitizer functions. It is not a keyword in any programming language,
   111	// contains no special characters, is not empty, and when it appears in output
   112	// it is distinct enough that a developer can find the source of the problem
   113	// via a search engine.
   114	const filterFailsafe = "ZgotmplZ"
   115	
   116	// escape escapes a template node.
   117	func (e *escaper) escape(c context, n parse.Node) context {
   118		switch n := n.(type) {
   119		case *parse.ActionNode:
   120			return e.escapeAction(c, n)
   121		case *parse.IfNode:
   122			return e.escapeBranch(c, &n.BranchNode, "if")
   123		case *parse.ListNode:
   124			return e.escapeList(c, n)
   125		case *parse.RangeNode:
   126			return e.escapeBranch(c, &n.BranchNode, "range")
   127		case *parse.TemplateNode:
   128			return e.escapeTemplate(c, n)
   129		case *parse.TextNode:
   130			return e.escapeText(c, n)
   131		case *parse.WithNode:
   132			return e.escapeBranch(c, &n.BranchNode, "with")
   133		}
   134		panic("escaping " + n.String() + " is unimplemented")
   135	}
   136	
   137	// escapeAction escapes an action template node.
   138	func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
   139		if len(n.Pipe.Decl) != 0 {
   140			// A local variable assignment, not an interpolation.
   141			return c
   142		}
   143		c = nudge(c)
   144		s := make([]string, 0, 3)
   145		switch c.state {
   146		case stateError:
   147			return c
   148		case stateURL, stateCSSDqStr, stateCSSSqStr, stateCSSDqURL, stateCSSSqURL, stateCSSURL:
   149			switch c.urlPart {
   150			case urlPartNone:
   151				s = append(s, "html_template_urlfilter")
   152				fallthrough
   153			case urlPartPreQuery:
   154				switch c.state {
   155				case stateCSSDqStr, stateCSSSqStr:
   156					s = append(s, "html_template_cssescaper")
   157				default:
   158					s = append(s, "html_template_urlnormalizer")
   159				}
   160			case urlPartQueryOrFrag:
   161				s = append(s, "html_template_urlescaper")
   162			case urlPartUnknown:
   163				return context{
   164					state: stateError,
   165					err:   errorf(ErrAmbigContext, n.Line, "%s appears in an ambiguous URL context", n),
   166				}
   167			default:
   168				panic(c.urlPart.String())
   169			}
   170		case stateJS:
   171			s = append(s, "html_template_jsvalescaper")
   172			// A slash after a value starts a div operator.
   173			c.jsCtx = jsCtxDivOp
   174		case stateJSDqStr, stateJSSqStr:
   175			s = append(s, "html_template_jsstrescaper")
   176		case stateJSRegexp:
   177			s = append(s, "html_template_jsregexpescaper")
   178		case stateCSS:
   179			s = append(s, "html_template_cssvaluefilter")
   180		case stateText:
   181			s = append(s, "html_template_htmlescaper")
   182		case stateRCDATA:
   183			s = append(s, "html_template_rcdataescaper")
   184		case stateAttr:
   185			// Handled below in delim check.
   186		case stateAttrName, stateTag:
   187			c.state = stateAttrName
   188			s = append(s, "html_template_htmlnamefilter")
   189		default:
   190			if isComment(c.state) {
   191				s = append(s, "html_template_commentescaper")
   192			} else {
   193				panic("unexpected state " + c.state.String())
   194			}
   195		}
   196		switch c.delim {
   197		case delimNone:
   198			// No extra-escaping needed for raw text content.
   199		case delimSpaceOrTagEnd:
   200			s = append(s, "html_template_nospaceescaper")
   201		default:
   202			s = append(s, "html_template_attrescaper")
   203		}
   204		e.editActionNode(n, s)
   205		return c
   206	}
   207	
   208	// ensurePipelineContains ensures that the pipeline has commands with
   209	// the identifiers in s in order.
   210	// If the pipeline already has some of the sanitizers, do not interfere.
   211	// For example, if p is (.X | html) and s is ["escapeJSVal", "html"] then it
   212	// has one matching, "html", and one to insert, "escapeJSVal", to produce
   213	// (.X | escapeJSVal | html).
   214	func ensurePipelineContains(p *parse.PipeNode, s []string) {
   215		if len(s) == 0 {
   216			return
   217		}
   218		n := len(p.Cmds)
   219		// Find the identifiers at the end of the command chain.
   220		idents := p.Cmds
   221		for i := n - 1; i >= 0; i-- {
   222			if cmd := p.Cmds[i]; len(cmd.Args) != 0 {
   223				if id, ok := cmd.Args[0].(*parse.IdentifierNode); ok {
   224					if id.Ident == "noescape" {
   225						return
   226					}
   227					continue
   228				}
   229			}
   230			idents = p.Cmds[i+1:]
   231		}
   232		dups := 0
   233		for _, id := range idents {
   234			if escFnsEq(s[dups], (id.Args[0].(*parse.IdentifierNode)).Ident) {
   235				dups++
   236				if dups == len(s) {
   237					return
   238				}
   239			}
   240		}
   241		newCmds := make([]*parse.CommandNode, n-len(idents), n+len(s)-dups)
   242		copy(newCmds, p.Cmds)
   243		// Merge existing identifier commands with the sanitizers needed.
   244		for _, id := range idents {
   245			i := indexOfStr((id.Args[0].(*parse.IdentifierNode)).Ident, s, escFnsEq)
   246			if i != -1 {
   247				for _, name := range s[:i] {
   248					newCmds = appendCmd(newCmds, newIdentCmd(name))
   249				}
   250				s = s[i+1:]
   251			}
   252			newCmds = appendCmd(newCmds, id)
   253		}
   254		// Create any remaining sanitizers.
   255		for _, name := range s {
   256			newCmds = appendCmd(newCmds, newIdentCmd(name))
   257		}
   258		p.Cmds = newCmds
   259	}
   260	
   261	// redundantFuncs[a][b] implies that funcMap[b](funcMap[a](x)) == funcMap[a](x)
   262	// for all x.
   263	var redundantFuncs = map[string]map[string]bool{
   264		"html_template_commentescaper": {
   265			"html_template_attrescaper":    true,
   266			"html_template_nospaceescaper": true,
   267			"html_template_htmlescaper":    true,
   268		},
   269		"html_template_cssescaper": {
   270			"html_template_attrescaper": true,
   271		},
   272		"html_template_jsregexpescaper": {
   273			"html_template_attrescaper": true,
   274		},
   275		"html_template_jsstrescaper": {
   276			"html_template_attrescaper": true,
   277		},
   278		"html_template_urlescaper": {
   279			"html_template_urlnormalizer": true,
   280		},
   281	}
   282	
   283	// appendCmd appends the given command to the end of the command pipeline
   284	// unless it is redundant with the last command.
   285	func appendCmd(cmds []*parse.CommandNode, cmd *parse.CommandNode) []*parse.CommandNode {
   286		if n := len(cmds); n != 0 {
   287			last, ok := cmds[n-1].Args[0].(*parse.IdentifierNode)
   288			next, _ := cmd.Args[0].(*parse.IdentifierNode)
   289			if ok && redundantFuncs[last.Ident][next.Ident] {
   290				return cmds
   291			}
   292		}
   293		return append(cmds, cmd)
   294	}
   295	
   296	// indexOfStr is the first i such that eq(s, strs[i]) or -1 if s was not found.
   297	func indexOfStr(s string, strs []string, eq func(a, b string) bool) int {
   298		for i, t := range strs {
   299			if eq(s, t) {
   300				return i
   301			}
   302		}
   303		return -1
   304	}
   305	
   306	// escFnsEq returns whether the two escaping functions are equivalent.
   307	func escFnsEq(a, b string) bool {
   308		if e := equivEscapers[a]; e != "" {
   309			a = e
   310		}
   311		if e := equivEscapers[b]; e != "" {
   312			b = e
   313		}
   314		return a == b
   315	}
   316	
   317	// newIdentCmd produces a command containing a single identifier node.
   318	func newIdentCmd(identifier string) *parse.CommandNode {
   319		return &parse.CommandNode{
   320			NodeType: parse.NodeCommand,
   321			Args:     []parse.Node{parse.NewIdentifier(identifier)},
   322		}
   323	}
   324	
   325	// nudge returns the context that would result from following empty string
   326	// transitions from the input context.
   327	// For example, parsing:
   328	//     `<a href=`
   329	// will end in context{stateBeforeValue, attrURL}, but parsing one extra rune:
   330	//     `<a href=x`
   331	// will end in context{stateURL, delimSpaceOrTagEnd, ...}.
   332	// There are two transitions that happen when the 'x' is seen:
   333	// (1) Transition from a before-value state to a start-of-value state without
   334	//     consuming any character.
   335	// (2) Consume 'x' and transition past the first value character.
   336	// In this case, nudging produces the context after (1) happens.
   337	func nudge(c context) context {
   338		switch c.state {
   339		case stateTag:
   340			// In `<foo {{.}}`, the action should emit an attribute.
   341			c.state = stateAttrName
   342		case stateBeforeValue:
   343			// In `<foo bar={{.}}`, the action is an undelimited value.
   344			c.state, c.delim, c.attr = attrStartStates[c.attr], delimSpaceOrTagEnd, attrNone
   345		case stateAfterName:
   346			// In `<foo bar {{.}}`, the action is an attribute name.
   347			c.state, c.attr = stateAttrName, attrNone
   348		}
   349		return c
   350	}
   351	
   352	// join joins the two contexts of a branch template node. The result is an
   353	// error context if either of the input contexts are error contexts, or if the
   354	// the input contexts differ.
   355	func join(a, b context, line int, nodeName string) context {
   356		if a.state == stateError {
   357			return a
   358		}
   359		if b.state == stateError {
   360			return b
   361		}
   362		if a.eq(b) {
   363			return a
   364		}
   365	
   366		c := a
   367		c.urlPart = b.urlPart
   368		if c.eq(b) {
   369			// The contexts differ only by urlPart.
   370			c.urlPart = urlPartUnknown
   371			return c
   372		}
   373	
   374		c = a
   375		c.jsCtx = b.jsCtx
   376		if c.eq(b) {
   377			// The contexts differ only by jsCtx.
   378			c.jsCtx = jsCtxUnknown
   379			return c
   380		}
   381	
   382		// Allow a nudged context to join with an unnudged one.
   383		// This means that
   384		//   <p title={{if .C}}{{.}}{{end}}
   385		// ends in an unquoted value state even though the else branch
   386		// ends in stateBeforeValue.
   387		if c, d := nudge(a), nudge(b); !(c.eq(a) && d.eq(b)) {
   388			if e := join(c, d, line, nodeName); e.state != stateError {
   389				return e
   390			}
   391		}
   392	
   393		return context{
   394			state: stateError,
   395			err:   errorf(ErrBranchEnd, line, "{{%s}} branches end in different contexts: %v, %v", nodeName, a, b),
   396		}
   397	}
   398	
   399	// escapeBranch escapes a branch template node: "if", "range" and "with".
   400	func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context {
   401		c0 := e.escapeList(c, n.List)
   402		if nodeName == "range" && c0.state != stateError {
   403			// The "true" branch of a "range" node can execute multiple times.
   404			// We check that executing n.List once results in the same context
   405			// as executing n.List twice.
   406			c1, _ := e.escapeListConditionally(c0, n.List, nil)
   407			c0 = join(c0, c1, n.Line, nodeName)
   408			if c0.state == stateError {
   409				// Make clear that this is a problem on loop re-entry
   410				// since developers tend to overlook that branch when
   411				// debugging templates.
   412				c0.err.Line = n.Line
   413				c0.err.Description = "on range loop re-entry: " + c0.err.Description
   414				return c0
   415			}
   416		}
   417		c1 := e.escapeList(c, n.ElseList)
   418		return join(c0, c1, n.Line, nodeName)
   419	}
   420	
   421	// escapeList escapes a list template node.
   422	func (e *escaper) escapeList(c context, n *parse.ListNode) context {
   423		if n == nil {
   424			return c
   425		}
   426		for _, m := range n.Nodes {
   427			c = e.escape(c, m)
   428		}
   429		return c
   430	}
   431	
   432	// escapeListConditionally escapes a list node but only preserves edits and
   433	// inferences in e if the inferences and output context satisfy filter.
   434	// It returns the best guess at an output context, and the result of the filter
   435	// which is the same as whether e was updated.
   436	func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
   437		e1 := newEscaper(e.tmpl)
   438		// Make type inferences available to f.
   439		for k, v := range e.output {
   440			e1.output[k] = v
   441		}
   442		c = e1.escapeList(c, n)
   443		ok := filter != nil && filter(e1, c)
   444		if ok {
   445			// Copy inferences and edits from e1 back into e.
   446			for k, v := range e1.output {
   447				e.output[k] = v
   448			}
   449			for k, v := range e1.derived {
   450				e.derived[k] = v
   451			}
   452			for k, v := range e1.called {
   453				e.called[k] = v
   454			}
   455			for k, v := range e1.actionNodeEdits {
   456				e.editActionNode(k, v)
   457			}
   458			for k, v := range e1.templateNodeEdits {
   459				e.editTemplateNode(k, v)
   460			}
   461			for k, v := range e1.textNodeEdits {
   462				e.editTextNode(k, v)
   463			}
   464		}
   465		return c, ok
   466	}
   467	
   468	// escapeTemplate escapes a {{template}} call node.
   469	func (e *escaper) escapeTemplate(c context, n *parse.TemplateNode) context {
   470		c, name := e.escapeTree(c, n.Name, n.Line)
   471		if name != n.Name {
   472			e.editTemplateNode(n, name)
   473		}
   474		return c
   475	}
   476	
   477	// escapeTree escapes the named template starting in the given context as
   478	// necessary and returns its output context.
   479	func (e *escaper) escapeTree(c context, name string, line int) (context, string) {
   480		// Mangle the template name with the input context to produce a reliable
   481		// identifier.
   482		dname := c.mangle(name)
   483		e.called[dname] = true
   484		if out, ok := e.output[dname]; ok {
   485			// Already escaped.
   486			return out, dname
   487		}
   488		t := e.template(name)
   489		if t == nil {
   490			// Two cases: The template exists but is empty, or has never been mentioned at
   491			// all. Distinguish the cases in the error messages.
   492			if e.tmpl.set[name] != nil {
   493				return context{
   494					state: stateError,
   495					err:   errorf(ErrNoSuchTemplate, line, "%q is an incomplete or empty template", name),
   496				}, dname
   497			}
   498			return context{
   499				state: stateError,
   500				err:   errorf(ErrNoSuchTemplate, line, "no such template %q", name),
   501			}, dname
   502		}
   503		if dname != name {
   504			// Use any template derived during an earlier call to escapeTemplate
   505			// with different top level templates, or clone if necessary.
   506			dt := e.template(dname)
   507			if dt == nil {
   508				dt = template.New(dname)
   509				dt.Tree = &parse.Tree{Name: dname, Root: t.Root.CopyList()}
   510				e.derived[dname] = dt
   511			}
   512			t = dt
   513		}
   514		return e.computeOutCtx(c, t), dname
   515	}
   516	
   517	// computeOutCtx takes a template and its start context and computes the output
   518	// context while storing any inferences in e.
   519	func (e *escaper) computeOutCtx(c context, t *template.Template) context {
   520		// Propagate context over the body.
   521		c1, ok := e.escapeTemplateBody(c, t)
   522		if !ok {
   523			// Look for a fixed point by assuming c1 as the output context.
   524			if c2, ok2 := e.escapeTemplateBody(c1, t); ok2 {
   525				c1, ok = c2, true
   526			}
   527			// Use c1 as the error context if neither assumption worked.
   528		}
   529		if !ok && c1.state != stateError {
   530			return context{
   531				state: stateError,
   532				// TODO: Find the first node with a line in t.text.Tree.Root
   533				err: errorf(ErrOutputContext, 0, "cannot compute output context for template %s", t.Name()),
   534			}
   535		}
   536		return c1
   537	}
   538	
   539	// escapeTemplateBody escapes the given template assuming the given output
   540	// context, and returns the best guess at the output context and whether the
   541	// assumption was correct.
   542	func (e *escaper) escapeTemplateBody(c context, t *template.Template) (context, bool) {
   543		filter := func(e1 *escaper, c1 context) bool {
   544			if c1.state == stateError {
   545				// Do not update the input escaper, e.
   546				return false
   547			}
   548			if !e1.called[t.Name()] {
   549				// If t is not recursively called, then c1 is an
   550				// accurate output context.
   551				return true
   552			}
   553			// c1 is accurate if it matches our assumed output context.
   554			return c.eq(c1)
   555		}
   556		// We need to assume an output context so that recursive template calls
   557		// take the fast path out of escapeTree instead of infinitely recursing.
   558		// Naively assuming that the input context is the same as the output
   559		// works >90% of the time.
   560		e.output[t.Name()] = c
   561		return e.escapeListConditionally(c, t.Tree.Root, filter)
   562	}
   563	
   564	// delimEnds maps each delim to a string of characters that terminate it.
   565	var delimEnds = [...]string{
   566		delimDoubleQuote: `"`,
   567		delimSingleQuote: "'",
   568		// Determined empirically by running the below in various browsers.
   569		// var div = document.createElement("DIV");
   570		// for (var i = 0; i < 0x10000; ++i) {
   571		//   div.innerHTML = "<span title=x" + String.fromCharCode(i) + "-bar>";
   572		//   if (div.getElementsByTagName("SPAN")[0].title.indexOf("bar") < 0)
   573		//     document.write("<p>U+" + i.toString(16));
   574		// }
   575		delimSpaceOrTagEnd: " \t\n\f\r>",
   576	}
   577	
   578	var doctypeBytes = []byte("<!DOCTYPE")
   579	
   580	// escapeText escapes a text template node.
   581	func (e *escaper) escapeText(c context, n *parse.TextNode) context {
   582		s, written, i, b := n.Text, 0, 0, new(bytes.Buffer)
   583		for i != len(s) {
   584			c1, nread := contextAfterText(c, s[i:])
   585			i1 := i + nread
   586			if c.state == stateText || c.state == stateRCDATA {
   587				end := i1
   588				if c1.state != c.state {
   589					for j := end - 1; j >= i; j-- {
   590						if s[j] == '<' {
   591							end = j
   592							break
   593						}
   594					}
   595				}
   596				for j := i; j < end; j++ {
   597					if s[j] == '<' && !bytes.HasPrefix(bytes.ToUpper(s[j:]), doctypeBytes) {
   598						b.Write(s[written:j])
   599						b.WriteString("&lt;")
   600						written = j + 1
   601					}
   602				}
   603			} else if isComment(c.state) && c.delim == delimNone {
   604				switch c.state {
   605				case stateJSBlockCmt:
   606					// http://es5.github.com/#x7.4:
   607					// "Comments behave like white space and are
   608					// discarded except that, if a MultiLineComment
   609					// contains a line terminator character, then
   610					// the entire comment is considered to be a
   611					// LineTerminator for purposes of parsing by
   612					// the syntactic grammar."
   613					if bytes.IndexAny(s[written:i1], "\n\r\u2028\u2029") != -1 {
   614						b.WriteByte('\n')
   615					} else {
   616						b.WriteByte(' ')
   617					}
   618				case stateCSSBlockCmt:
   619					b.WriteByte(' ')
   620				}
   621				written = i1
   622			}
   623			if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
   624				// Preserve the portion between written and the comment start.
   625				cs := i1 - 2
   626				if c1.state == stateHTMLCmt {
   627					// "<!--" instead of "/*" or "//"
   628					cs -= 2
   629				}
   630				b.Write(s[written:cs])
   631				written = i1
   632			}
   633			if i == i1 && c.state == c1.state {
   634				panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
   635			}
   636			c, i = c1, i1
   637		}
   638	
   639		if written != 0 && c.state != stateError {
   640			if !isComment(c.state) || c.delim != delimNone {
   641				b.Write(n.Text[written:])
   642			}
   643			e.editTextNode(n, b.Bytes())
   644		}
   645		return c
   646	}
   647	
   648	// contextAfterText starts in context c, consumes some tokens from the front of
   649	// s, then returns the context after those tokens and the unprocessed suffix.
   650	func contextAfterText(c context, s []byte) (context, int) {
   651		if c.delim == delimNone {
   652			c1, i := tSpecialTagEnd(c, s)
   653			if i == 0 {
   654				// A special end tag (`</script>`) has been seen and
   655				// all content preceding it has been consumed.
   656				return c1, 0
   657			}
   658			// Consider all content up to any end tag.
   659			return transitionFunc[c.state](c, s[:i])
   660		}
   661	
   662		i := bytes.IndexAny(s, delimEnds[c.delim])
   663		if i == -1 {
   664			i = len(s)
   665		}
   666		if c.delim == delimSpaceOrTagEnd {
   667			// http://www.w3.org/TR/html5/tokenization.html#attribute-value-unquoted-state
   668			// lists the runes below as error characters.
   669			// Error out because HTML parsers may differ on whether
   670			// "<a id= onclick=f("     ends inside id's or onclick's value,
   671			// "<a class=`foo "        ends inside a value,
   672			// "<a style=font:'Arial'" needs open-quote fixup.
   673			// IE treats '`' as a quotation character.
   674			if j := bytes.IndexAny(s[:i], "\"'<=`"); j >= 0 {
   675				return context{
   676					state: stateError,
   677					err:   errorf(ErrBadHTML, 0, "%q in unquoted attr: %q", s[j:j+1], s[:i]),
   678				}, len(s)
   679			}
   680		}
   681		if i == len(s) {
   682			// Remain inside the attribute.
   683			// Decode the value so non-HTML rules can easily handle
   684			//     <button onclick="alert(&quot;Hi!&quot;)">
   685			// without having to entity decode token boundaries.
   686			for u := []byte(html.UnescapeString(string(s))); len(u) != 0; {
   687				c1, i1 := transitionFunc[c.state](c, u)
   688				c, u = c1, u[i1:]
   689			}
   690			return c, len(s)
   691		}
   692		if c.delim != delimSpaceOrTagEnd {
   693			// Consume any quote.
   694			i++
   695		}
   696		// On exiting an attribute, we discard all state information
   697		// except the state and element.
   698		return context{state: stateTag, element: c.element}, i
   699	}
   700	
   701	// editActionNode records a change to an action pipeline for later commit.
   702	func (e *escaper) editActionNode(n *parse.ActionNode, cmds []string) {
   703		if _, ok := e.actionNodeEdits[n]; ok {
   704			panic(fmt.Sprintf("node %s shared between templates", n))
   705		}
   706		e.actionNodeEdits[n] = cmds
   707	}
   708	
   709	// editTemplateNode records a change to a {{template}} callee for later commit.
   710	func (e *escaper) editTemplateNode(n *parse.TemplateNode, callee string) {
   711		if _, ok := e.templateNodeEdits[n]; ok {
   712			panic(fmt.Sprintf("node %s shared between templates", n))
   713		}
   714		e.templateNodeEdits[n] = callee
   715	}
   716	
   717	// editTextNode records a change to a text node for later commit.
   718	func (e *escaper) editTextNode(n *parse.TextNode, text []byte) {
   719		if _, ok := e.textNodeEdits[n]; ok {
   720			panic(fmt.Sprintf("node %s shared between templates", n))
   721		}
   722		e.textNodeEdits[n] = text
   723	}
   724	
   725	// commit applies changes to actions and template calls needed to contextually
   726	// autoescape content and adds any derived templates to the set.
   727	func (e *escaper) commit() {
   728		for name := range e.output {
   729			e.template(name).Funcs(funcMap)
   730		}
   731		for _, t := range e.derived {
   732			if _, err := e.tmpl.text.AddParseTree(t.Name(), t.Tree); err != nil {
   733				panic("error adding derived template")
   734			}
   735		}
   736		for n, s := range e.actionNodeEdits {
   737			ensurePipelineContains(n.Pipe, s)
   738		}
   739		for n, name := range e.templateNodeEdits {
   740			n.Name = name
   741		}
   742		for n, s := range e.textNodeEdits {
   743			n.Text = s
   744		}
   745	}
   746	
   747	// template returns the named template given a mangled template name.
   748	func (e *escaper) template(name string) *template.Template {
   749		t := e.tmpl.text.Lookup(name)
   750		if t == nil {
   751			t = e.derived[name]
   752		}
   753		return t
   754	}
   755	
   756	// Forwarding functions so that clients need only import this package
   757	// to reach the general escaping functions of text/template.
   758	
   759	// HTMLEscape writes to w the escaped HTML equivalent of the plain text data b.
   760	func HTMLEscape(w io.Writer, b []byte) {
   761		template.HTMLEscape(w, b)
   762	}
   763	
   764	// HTMLEscapeString returns the escaped HTML equivalent of the plain text data s.
   765	func HTMLEscapeString(s string) string {
   766		return template.HTMLEscapeString(s)
   767	}
   768	
   769	// HTMLEscaper returns the escaped HTML equivalent of the textual
   770	// representation of its arguments.
   771	func HTMLEscaper(args ...interface{}) string {
   772		return template.HTMLEscaper(args...)
   773	}
   774	
   775	// JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
   776	func JSEscape(w io.Writer, b []byte) {
   777		template.JSEscape(w, b)
   778	}
   779	
   780	// JSEscapeString returns the escaped JavaScript equivalent of the plain text data s.
   781	func JSEscapeString(s string) string {
   782		return template.JSEscapeString(s)
   783	}
   784	
   785	// JSEscaper returns the escaped JavaScript equivalent of the textual
   786	// representation of its arguments.
   787	func JSEscaper(args ...interface{}) string {
   788		return template.JSEscaper(args...)
   789	}
   790	
   791	// URLQueryEscaper returns the escaped value of the textual representation of
   792	// its arguments in a form suitable for embedding in a URL query.
   793	func URLQueryEscaper(args ...interface{}) string {
   794		return template.URLQueryEscaper(args...)
   795	}