github/golang.net
2
0
Fork 0
mirror of https://github.com/golang/net.git synced 2026-03-31 10:27:08 +09:00
Code Issues Packages Projects Releases Wiki Activity
2,324 Commits 21 Branches 52 Tags
master
Commit Graph

22 Commits

Author SHA1 Message Date
Roland Shoemaker
59706cdaa8 html: impose open element stack size limit 
The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 2025-10-07 11:18:01 -07:00
Roland Shoemaker
6ec8895aa5 html: align in row insertion mode with spec 
Update inRowIM to match the HTML specification. This fixes an issue
where a specific HTML document could cause the parser to enter an
infinite loop when trying to parse a </tbody> and implied </tr> next to
each other.

Fixes CVE-2025-58190
Fixes golang/go#70179

Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
 2025-10-07 11:17:53 -07:00
Pukki
312450e473 html: ensure <search> tag closes <p> and update tests 
This change ensures that the <search> tag correctly closes an open <p> tag when encountered during parsing.

Changes:
- Added <search> to the list of elements that should close an open <p> tag in parse.go.
- Updated the second list in parse.go to ensure consistency.
- Updated html/atom/gen.go, table.go, and table_test.go accordingly.
- Modified parse_test.go to use strings.Builder instead of bytes.Buffer.
- Updated test error messages to follow Go’s conventions.
- Fixed an accidental colon in the comment in parse.go.

Change-Id: I5835da69f6bb0e14c483e55b7ae82915ae958dc1
Reviewed-on: https://go-review.googlesource.com/c/net/+/655457
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
 2025-03-12 15:46:46 -07:00
yincong
b935f7b5d7 html: avoid endless loop on error token 
Fixes #70179

Change-Id: I2a0a1fc2e96f7d8eefd0abdf7ef8ba243a6e8645
GitHub-Last-Rev: a601ecd849
GitHub-Pull-Request: golang/net#226
Reviewed-on: https://go-review.googlesource.com/c/net/+/624895
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 2024-12-18 08:05:47 -08:00
Damien Neil
c1f5833288 all: replace deprecated io/ioutil calls 
The io/ioutil package's features were moved to
the io and os packages in Go 1.16.

x/net depends on Go 1.18. Drop ioutil calls,
so gopls doesn't warn about them.

Change-Id: Ibdb576d94f250808ae285aa142e2fd41e7e9afc9
Reviewed-on: https://go-review.googlesource.com/c/net/+/586244
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
 2024-05-21 19:59:00 +00:00
Nigel Tao
37e1c6afe0 html: ignore templates nested within foreign content 
Fixes #46288
Fixes CVE-2021-33194

Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
 2021-05-20 17:08:46 +00:00
Kunpei Sakai
28c70e62bb html: port html5lib tests from html5lib/html5lib-tests 
To reproduce this, execute following steps in order:

1. git clone git@github.com:html5lib/html5lib-tests.git && git checkout 6ddcf58bea5a01e616911050c173622f84297211
2. cp -Rv html5lib-tests/tree-construction/ testdata/webkit

Change-Id: Id32798b1ff881afad82d87c2fef0841e5223c7e6
Reviewed-on: https://go-review.googlesource.com/c/net/+/263397
Trust: Kunpei Sakai <namusyaka@gmail.com>
Trust: Nigel Tao <nigeltao@golang.org>
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2020-10-29 22:17:08 +00:00
Kunpei Sakai
8adf50f3fe html: avoid using raw text mode if there are raw tags to be ignored in select IM 
This follows up on https://golang.org/cl/264977

Change-Id: I5d0e2f39173a8bbd07ca53de4df2a7e8772d4197
Reviewed-on: https://go-review.googlesource.com/c/net/+/265960
Trust: Kunpei Sakai <namusyaka@gmail.com>
Trust: Nigel Tao <nigeltao@golang.org>
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2020-10-29 05:33:32 +00:00
Kunpei Sakai
e0495509cf html: skip tests for behavior outside the parsing algorithm 
This also updates webkit/tests18.dat to latest.

Change-Id: I4ed37e918a7db63afd8d515dd3a2494699cc5b74
Reviewed-on: https://go-review.googlesource.com/c/net/+/264977
Trust: Kunpei Sakai <namusyaka@gmail.com>
Trust: Nigel Tao <nigeltao@golang.org>
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2020-10-29 03:25:33 +00:00
Kunpei Sakai
e7e4b65ae6 html: improve coding style 
Change-Id: I05c0ccbad41f5512f8096b0d15991d7d6b5d726e
Reviewed-on: https://go-review.googlesource.com/c/net/+/209398
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-12-07 00:06:13 +00:00
Kunpei Sakai
1ddd1de85c html: implement generic raw text element parsing algorithm 
See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-elements-that-contain-only-text

This follows up on golang.org/cl/205617

Change-Id: Id99054bc25e9ea90bb3f03b15c14c13573520997
Reviewed-on: https://go-review.googlesource.com/c/net/+/210318
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-12-06 10:30:17 +00:00
Kunpei Sakai
ffdde10578 html: implement adjusted current node and make parser support foreign fragment 
This follows up on golang.org/cl/205617

Change-Id: Id94a4fcef6a604936c404f75999ba37321b6c2c0
Reviewed-on: https://go-review.googlesource.com/c/net/+/206121
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-11-25 08:49:36 +00:00
Kunpei Sakai
8f7fa2680c html: support #script-(on|off) directives for tests 
Those directives are now supported by html5lib-tests.
See: e52ff68cc7/tree-construction/README.md

Also, this fixes missing opts on parsing for identical check

Change-Id: I92f2398ebda0477fd7f6bb438c54f3948063c08d
Reviewed-on: https://go-review.googlesource.com/c/net/+/206118
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-11-24 23:31:50 +00:00
Kunpei Sakai
9ce7a6920f html: implement ParseWithOptions and ParseFragmentWithOptions 
This commit newly introduces a type for configuring a parser
called ParseOption, and implements two functions depending on it.
Along with that, this introduces ParseOptionEnableScripting to
enable setting of the scripting flag.

Fixes golang/go#16318

Change-Id: Ie7fd7d8ce286e22e7f57182fc2ce353bce578db6
Reviewed-on: https://go-review.googlesource.com/c/net/+/174157
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-05-01 00:44:15 +00:00
Kunpei Sakai
574d568418 html: add "in head noscript" im support 
In the spec 12.2.6.4.5, the "in head noscript" insertion mode is defined.
However, this package and its parser doesn't have the insertion mode,
because the scripting=false case is not considered currently.

This commit adds a test and a support for the "in head noscript"
insertion mode. This change has no effect on the actual behavior.

Updates golang/go#16318

Change-Id: I9314c3342bea27fa2acf2fa7d980a127ee0fbf91
Reviewed-on: https://go-review.googlesource.com/c/net/+/172557
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-04-24 02:42:50 +00:00
Kunpei Sakai
d26f9f9a57 html: update inSelectIM and inSelectInTableIM for the latest spec 
Fixes golang/go#27842

Change-Id: I06eb3c0c18be3566bd30a29fca5f3f7e6791d2cc
Reviewed-on: https://go-review.googlesource.com/c/137275
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2019-01-25 09:10:13 +00:00
Kunpei Sakai
8a410e7b63 html: fix wrong comparison in foster parenting algorithm 
Fixes golang/go#23071

Change-Id: I383e13bfd87e32ffb775dff54c46b66b090e5017
Reviewed-on: https://go-review.googlesource.com/131475
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2018-08-26 01:23:51 +00:00
Kunpei Sakai
32a936f463 html: don't ignore the token if the current node is form 
See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody

Fixes golang/go#25703
Updates golang/go#23071

Change-Id: I09db4c2d07a242cb45c3e37b499c609809dd0b83
Reviewed-on: https://go-review.googlesource.com/120658
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2018-07-06 05:13:57 +00:00
Kunpei Sakai
8d16fa6dc9 html: avoid invalid nil pointer access 
Updates golang/go#23071

Change-Id: I73d7302c5bde4441aa824093fdcce52e8bb51e31
Reviewed-on: https://go-review.googlesource.com/107379
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2018-04-17 00:37:50 +00:00
namusyaka
500e7a4f95 html: add "in template" insertion mode support 
See:
https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-intemplate

Updates golang/go#23071

Change-Id: I36529b7cf5d2adf159ed5c471fba9f67890b7eb9
Reviewed-on: https://go-review.googlesource.com/94838
Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Nigel Tao <nigeltao@golang.org>
 2018-04-15 21:43:07 +00:00
Andrew Gerrand
fbe893ddcd go.net: use golang.org/x/... import paths 
LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/167030043
 2014-11-10 09:04:43 +11:00
Nigel Tao
ea127e889c go.net/html: move exp/html and exp/html/atom here to the go.net 
sub-repo.

It's a straight copy, except for these modifications:
* "exp/html" and "exp/html/atom" imports were renamed, and
* the "TODO... When this package moves out of exp" comment was
  deleted from atom/atom.go.

The matching change is at https://golang.org/cl/7317043

The rationale was discussed at
https://groups.google.com/d/topic/golang-nuts/Qq5hTQyPuLg/discussion

R=adg, remyoudompheng, dave
CC=golang-dev
https://golang.org/cl/7310063
 2013-02-11 11:55:20 +11:00