slog: JSONHandler does not escape HTML

jba · jba · commit dfa7d7a641b0 · 2023-01-31T12:03:22.000Z
Don't escape HTML characters. Log output does not need to be safe for embedding in HTML. Change-Id: I545d701239b8fbf5273ce27090f754b8ecc9082a Reviewed-on: https://go-review.googlesource.com/c/exp/+/464215 Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Alan Donovan <adonovan@google.com>
diff --git a/slog/json_handler.go b/slog/json_handler.go
@@ -5,6 +5,7 @@
 package slog
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -81,6 +82,7 @@ func (h *JSONHandler) WithGroup(name string) Handler {
 //   - Floating-point NaNs and infinities are formatted as one of the strings
 //     "NaN", "+Inf" or "-Inf".
 //   - Levels are formatted as with Level.String.
+//   - HTML characters are not escaped.
 //
 // Each call to Handle results in a single serialized call to io.Writer.Write.
 func (h *JSONHandler) Handle(r Record) error {
@@ -146,11 +148,15 @@ func appendJSONValue(s *handleState, v Value) error {
 }
 
 func appendJSONMarshal(buf *buffer.Buffer, v any) error {
-	b, err := json.Marshal(v)
-	if err != nil {
+	// Use a json.Encoder to avoid escaping HTML.
+	var bb bytes.Buffer
+	enc := json.NewEncoder(&bb)
+	enc.SetEscapeHTML(false)
+	if err := enc.Encode(v); err != nil {
 		return err
 	}
-	buf.Write(b)
+	bs := bb.Bytes()
+	buf.Write(bs[:len(bs)-1]) // remove final newline
 	return nil
 }
 
@@ -168,7 +174,7 @@ func appendEscapedJSONString(buf []byte, s string) []byte {
 	start := 0
 	for i := 0; i < len(s); {
 		if b := s[i]; b < utf8.RuneSelf {
-			if htmlSafeSet[b] {
+			if safeSet[b] {
 				i++
 				continue
 			}
@@ -187,10 +193,6 @@ func appendEscapedJSONString(buf []byte, s string) []byte {
 				char('t')
 			default:
 				// This encodes bytes < 0x20 except for \t, \n and \r.
-				// It also escapes <, >, and &
-				// because they can lead to security holes when
-				// user-controlled strings are rendered into JSON
-				// and served to some browsers.
 				str(`u00`)
 				char(hex[b>>4])
 				char(hex[b&0xF])
@@ -236,23 +238,22 @@ func appendEscapedJSONString(buf []byte, s string) []byte {
 
 var hex = "0123456789abcdef"
 
-// Copied from encoding/json/encode.go:encodeState.string.
+// Copied from encoding/json/tables.go.
 //
-// htmlSafeSet holds the value true if the ASCII character with the given
-// array position can be safely represented inside a JSON string, embedded
-// inside of HTML <script> tags, without any additional escaping.
+// safeSet holds the value true if the ASCII character with the given array
+// position can be represented inside a JSON string without any further
+// escaping.
 //
 // All values are true except for the ASCII control characters (0-31), the
-// double quote ("), the backslash character ("\"), HTML opening and closing
-// tags ("<" and ">"), and the ampersand ("&").
-var htmlSafeSet = [utf8.RuneSelf]bool{
+// double quote ("), and the backslash character ("\").
+var safeSet = [utf8.RuneSelf]bool{
 	' ':      true,
 	'!':      true,
 	'"':      false,
 	'#':      true,
 	'$':      true,
 	'%':      true,
-	'&':      false,
+	'&':      true,
 	'\'':     true,
 	'(':      true,
 	')':      true,
@@ -274,9 +275,9 @@ var htmlSafeSet = [utf8.RuneSelf]bool{
 	'9':      true,
 	':':      true,
 	';':      true,
-	'<':      false,
+	'<':      true,
 	'=':      true,
-	'>':      false,
+	'>':      true,
 	'?':      true,
 	'@':      true,
 	'A':      true,
diff --git a/slog/json_handler_test.go b/slog/json_handler_test.go
@@ -83,17 +83,26 @@ func TestAppendJSONValue(t *testing.T) {
 		jsonMarshaler{"xyz"},
 	} {
 		got := jsonValueString(t, AnyValue(value))
-		b, err := json.Marshal(value)
+		want, err := marshalJSON(value)
 		if err != nil {
 			t.Fatal(err)
 		}
-		want := string(b)
 		if got != want {
 			t.Errorf("%v: got %s, want %s", value, got, want)
 		}
 	}
 }
 
+func marshalJSON(x any) (string, error) {
+	var buf bytes.Buffer
+	enc := json.NewEncoder(&buf)
+	enc.SetEscapeHTML(false)
+	if err := enc.Encode(x); err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(buf.String()), nil
+}
+
 func TestJSONAppendAttrValueSpecial(t *testing.T) {
 	// Attr values that render differently from json.Marshal.
 	for _, test := range []struct {
