package safehtmlutil
import "github.com/google/safehtml/internal/safehtmlutil"
Package safehtmlutil contains functions shared by package safehtml and safehtml/template.
Index ¶
- func Indirect(a interface{}) interface{}
- func IsSafeTrustedResourceURLPrefix(prefix string) bool
- func NormalizeURL(args ...interface{}) string
- func QueryEscapeURL(args ...interface{}) string
- func Stringify(args ...interface{}) string
- func URLContainsDoubleDotSegment(url string) bool
Functions ¶
func Indirect ¶
func Indirect(a interface{}) interface{}
Indirect returns the value, after dereferencing as many times as necessary to reach the base type (or nil).
func IsSafeTrustedResourceURLPrefix ¶
IsSafeTrustedResourceURLPrefix returns whether the given prefix is safe to use as a TrustedResourceURL prefix.
TrustedResourceURL prefixes must start with one of the following:
- `https://<origin>/`
- `//<origin>/`
- `/<pathStart>`
- `about:blank#`
`<origin>` must contain only alphanumerics, '.', ':', '[', ']', or '-'. These restrictions do not enforce a well-formed domain name, so '.' and '1.2' are valid.
`<pathStart>` is any character except `/` and `\`. Based on https://url.spec.whatwg.org/commit-snapshots/56b74ce7cca8883eab62e9a12666e2fac665d03d/#url-parsing, an initial / which is not followed by another / or \ will end up in the "path state" and from there it can only go to the "fragment state" and "query state".
func NormalizeURL ¶
func NormalizeURL(args ...interface{}) string
NormalizeURL normalizes URL content so it can be embedded in a quote-delimited string or parenthesis delimited url(...). The normalizer does not encode all HTML specials. Specifically, it does not encode '&' so correct embedding in an HTML attribute requires escaping of '&' to '&'.
func QueryEscapeURL ¶
func QueryEscapeURL(args ...interface{}) string
QueryEscapeURL produces an output that can be embedded in a URL query. The output can be embedded in an HTML attribute without further escaping.
func Stringify ¶
func Stringify(args ...interface{}) string
Stringify converts its arguments to a string. It is equivalent to fmt.Sprint(args...), except that it deferences all pointers.
func URLContainsDoubleDotSegment ¶
URLContainsDoubleDotSegment returns whether the given URL or URL substring contains the double dot-segment ".." (RFC3986 3.3) in its percent-encoded or unencoded form.
Source Files ¶
- Version
- v0.1.0 (latest)
- Published
- Apr 30, 2022
- Platform
- linux/amd64
- Imports
- 4 packages
- Last checked
- 3 weeks ago –
Tools for package owners.