Skip to content

Commit

Permalink
refactor: demonstrate how URL schemes are restricted unless templ.Saf…
Browse files Browse the repository at this point in the history 
…eURL is used
  • Loading branch information
@a-h
a-h committed Oct 10, 2021
1 parent 3aef485 commit 1229489
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 0 deletions.
24 changes: 24 additions & 0 deletions generator/test-attribute-escaping/render_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
package testhtml

import (
"context"
"strings"
"testing"

"github.com/google/go-cmp/cmp"
)

const expected = `<div>` +
`<a href="about:invalid#TemplFailedSanitizationURL"` +
`</div>`

func TestHTML(t *testing.T) {
w := new(strings.Builder)
err := BasicTemplate(`javascript: alert("xss");`).Render(context.Background(), w)
if err != nil {
t.Errorf("failed to render: %v", err)
}
if diff := cmp.Diff(expected, w.String()); diff != "" {
t.Error(diff)
}
}
8 changes: 8 additions & 0 deletions generator/test-attribute-escaping/template.templ
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{% package testhtml %}

{% templ BasicTemplate(url string) %}
<div>
<a href={%= templ.URL(url) %}>{%= "text" %}</a>
</div>
{% endtempl %}

56 changes: 56 additions & 0 deletions generator/test-attribute-escaping/template_templ.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 1229489

Please sign in to comment.