Commit 37dbc7b4 authored by Nodir Turakulov's avatar Nodir Turakulov Committed by Brad Fitzpatrick

html/template: escape JS in application/json script tag

Since ffd1c781 HTML templates check
MIME type in the "type" attribute of "script" tag to decide if contents
should be escaped as JavaScript. The whitelist of MIME types did not
include application/json. Include it in this CL.

Fixes #18159

Change-Id: I17a8a38f2b7789b4b7e941d14279de222eaf2b6a
Reviewed-on: https://go-review.googlesource.com/33899Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent d29f72f4
......@@ -368,9 +368,10 @@ func isJSIdentPart(r rune) bool {
// It is used to determine whether a script tag with a type attribute is a javascript container.
func isJSType(mimeType string) bool {
// per
// http://www.w3.org/TR/html5/scripting-1.html#attr-script-type
// https://www.w3.org/TR/html5/scripting-1.html#attr-script-type
// https://tools.ietf.org/html/rfc7231#section-3.1.1
// http://tools.ietf.org/html/rfc4329#section-3
// https://tools.ietf.org/html/rfc4329#section-3
// https://www.ietf.org/rfc/rfc4627.txt
// discard parameters
if i := strings.Index(mimeType, ";"); i >= 0 {
......@@ -381,6 +382,7 @@ func isJSType(mimeType string) bool {
case
"application/ecmascript",
"application/javascript",
"application/json",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment