html/template: only track brace depth when we are in a JS tmpl lit

The change that keeps on giving. Only track brace depth in tJS if we are
already inside of a template literal. If we start tracking depth outside
of nested literals it can cause the parser to think we're still in a JS
context when we've actually closed the string interp.

I believe this _mostly_ captures the expected parsing, but since the
JS parser does not implement proper lexical goal symbols, it may not
be entirely accurate. At some point in the future we may be able to
significantly reduce the complexity of this implementation by
implementing a lexical parser that more closely follows the ECMAScript
specification, and structuring escaping rules based on which symbol an
action appears in. This would also allow us to catch errors, which
we currently cannot reasonable do (although perhaps this is beyond the
scope of what html/template _should_ be doing).

Updates #61619

Change-Id: I56e1dbc0d0705ef8fb7a5454ebe2421d4e162ef6
Reviewed-on: https://go-review.googlesource.com/c/go/+/532595
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index 9e2f4fe9228ef52e66285c5a72df87b25efd42ff..91fbfb9a3cdb6ca3b69affbe19a0e790b40ad118 100644 (file)
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -1163,26 +1163,6 @@ func TestErrors(t *testing.T) {
                        // html is allowed since it is the last command in the pipeline, but urlquery is not.
                        `predefined escaper "urlquery" disallowed in template`,
                },
-               // {
-               //      "<script>var tmpl = `asd {{.}}`;</script>",
-               //      `{{.}} appears in a JS template literal`,
-               // },
-               // {
-               //      "<script>var v = `${function(){return `{{.V}}+1`}()}`;</script>",
-               //      `{{.V}} appears in a JS template literal`,
-               // },
-               // {
-               //      "<script>var a = `asd ${function(){b = {1:2}; return`{{.}}`}}`</script>",
-               //      `{{.}} appears in a JS template literal`,
-               // },
-               // {
-               //      "<script>var tmpl = `${return `{{.}}`}`;</script>",
-               //      `{{.}} appears in a JS template literal`,
-               // },
-               // {
-               //      "<script>var tmpl = `${return {`{{.}}`}`;</script>",
-               //      `{{.}} appears in a JS template literal`,
-               // },
        }
        for _, test := range tests {
                buf := new(bytes.Buffer)
@@ -1800,6 +1780,30 @@ func TestEscapeText(t *testing.T) {
                        "<script>var foo = `x` + \"${",
                        context{state: stateJSDqStr, element: elementScript},
                },
+               {
+                       "<script>function f() { var a = `${}`; }",
+                       context{state: stateJS, element: elementScript},
+               },
+               {
+                       "<script>{`${}`}",
+                       context{state: stateJS, element: elementScript},
+               },
+               {
+                       "<script>`${ function f() { return `${1}` }() }`",
+                       context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
+               },
+               {
+                       "<script>function f() {`${ function f() { `${1}` } }`}",
+                       context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
+               },
+               {
+                       "<script>`${ { `` }`",
+                       context{state: stateJS, element: elementScript},
+               },
+               {
+                       "<script>`${ { }`",
+                       context{state: stateJSTmplLit, element: elementScript},
+               },
        }
 
        for _, test := range tests {

diff --git a/src/html/template/transition.go b/src/html/template/transition.go
index 4ea803e42800de3ff3c9246943324af220b862c1..4aa2920986a87bfea1bb7042ffbc44feb5f5006f 100644 (file)
--- a/src/html/template/transition.go
+++ b/src/html/template/transition.go
@@ -321,6 +321,11 @@ func tJS(c context, s []byte) (context, int) {
                        c.state, i = stateJSLineCmt, i+1
                }
        case '{':
+               // We only care about tracking brace depth if we are inside of a
+               // template literal.
+               if c.jsTmplExprDepth == 0 {
+                       return c, i + 1
+               }
                c.jsBraceDepth++
        case '}':
                if c.jsTmplExprDepth == 0 {
@@ -349,6 +354,7 @@ func tJS(c context, s []byte) (context, int) {
 }
 
 func tJSTmpl(c context, s []byte) (context, int) {
+       c.jsBraceDepth = 0
        var k int
        for {
                i := k + bytes.IndexAny(s[k:], "`\\$")
@@ -367,6 +373,7 @@ func tJSTmpl(c context, s []byte) (context, int) {
                case '$':
                        if len(s) >= i+2 && s[i+1] == '{' {
                                c.jsTmplExprDepth++
+                               c.jsBraceDepth = 0
                                c.state = stateJS
                                return c, i + 2
                        }