add support for DangerousContents

stephenlacy · stephenlacy · commit d7339afcbe87 · 2021-03-28T22:50:47.000-07:00
diff --git a/daz.go b/daz.go
@@ -21,8 +21,20 @@ var selfClosingTags = map[string]int{
 // <a href="#"> => Attr{"href": "#"}
 type Attr map[string]string
 
+type HTML func() string
+
+// dangerous contents type
+type dangerousContents func() (string, bool)
+
+// UnsafeContent allows injection of JS or HTML from functions
+func UnsafeContent(str string) dangerousContents {
+	return func() (string, bool) {
+		return str, true
+	}
+}
+
 // H is the base HTML func
-func H(el string, attrs ...interface{}) func() string {
+func H(el string, attrs ...interface{}) HTML {
 	contents := []string{}
 	attributes := ""
 	for _, v := range attrs {
@@ -34,11 +46,16 @@ func H(el string, attrs ...interface{}) func() string {
 		case []string:
 			children := strings.Join(v, "")
 			contents = append(contents, escape(children))
-		case []func() string:
+		case []HTML:
 			children := subItems(v)
 			contents = append(contents, children)
-		case func() string:
+		case HTML:
 			contents = append(contents, v())
+		case dangerousContents:
+			t, _ := v()
+			contents = append(contents, t)
+		case func() string:
+			contents = append(contents, escape(v()))
 		default:
 			contents = append(contents, escape(fmt.Sprintf("%v", v)))
 		}
@@ -56,7 +73,7 @@ func escape(str string) string {
 	return html.EscapeString(str)
 }
 
-func subItems(attrs []func() string) string {
+func subItems(attrs []HTML) string {
 	res := []string{}
 	for _, v := range attrs {
 		res = append(res, v())
diff --git a/daz_test.go b/daz_test.go
@@ -11,6 +11,7 @@ var fixture4 = "<div class='bg-grey-50' data-id='div-1'>content</div>"
 var fixture5 = "<div>O&#39;Brian<input type='text' value='input value&#39;s' /></div>"
 var fixture6 = "<div><img src='https://example.com/image.png' /><br /></div>"
 var fixture7 = "<div>&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;</div>"
+var fixture8 = "<div><script>alert('xss')</script></div>"
 
 func TestBasicRender(t *testing.T) {
 	attrs := Attr{"class": "app view"}
@@ -33,11 +34,23 @@ func TestStringItems(t *testing.T) {
 	}
 }
 
-func TestItems(t *testing.T) {
+func TestItems1(t *testing.T) {
 	one := H("div", "one")
 	two := func() string { return "one" }
 	three := H("", "text")
-	items := []func() string{one, two, three}
+	items := []HTML{one, two, three}
+
+	root := H("div", items)
+	res := root()
+	if res != fixture3 {
+		t.Errorf("got: %v wanted: %v", res, fixture3)
+	}
+}
+func TestItems2(t *testing.T) {
+	one := H("div", "one")
+	two := func() string { return "one" }
+	three := H("", "text")
+	items := []HTML{one, two, three}
 
 	root := H("div", items)
 	res := root()
@@ -81,6 +94,15 @@ func TestXSS1(t *testing.T) {
 	}
 }
 
+func TestUnsafeContent(t *testing.T) {
+	injection := "<script>alert('xss')</script>"
+	root := H("div", UnsafeContent(injection))
+	res := root()
+	if res != fixture8 {
+		t.Errorf("got: %v wanted: %v", res, fixture8)
+	}
+}
+
 func BenchmarkBasicRender(b *testing.B) {
 	attrs := Attr{"class": "app view"}
 	nav := H("nav", "Welcome")
