-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/net: regression in x/net/html package: The <!--[if mso]--> email HTML comments are now being escaped #58246
Comments
CC @nigeltao |
CC @namusyaka |
It seems logical that only the |
I think it's unlikely that we'll (1) revert or (2) provide a setting. The behavior was changed because it was a bug that an " If you need to inject meaningful comments, and want control over escaping, perhaps an However, I will quote myself from another issue:
|
Having said that...
This could possibly work. We'd have to think carefully about any security implications, though. For example, there are non-standard ways to create a CommentToken that stops at the first |
Here's what the HTML spec says about parsing comments:
Given that second link... I don't know about you, but I'm going to need to think for a bit about when it's safe to not-escape |
It does look ominous at the first glance, but I'm pretty sure that the gist of it is that
Anything else between That looks about it. Or am I missing some fine point? |
Change https://go.dev/cl/466776 mentions this issue: |
Updates golang/go#58246 Change-Id: Iaba5ed65f5d244fd47372ef0c08fc4cdb5ed90f9 Reviewed-on: https://go-review.googlesource.com/c/net/+/466776 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Nigel Tao <nigeltao@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Nigel Tao <nigeltao@golang.org> Reviewed-by: Nigel Tao (INACTIVE; USE @golang.org INSTEAD) <nigeltao@google.com>
Change https://go.dev/cl/469055 mentions this issue: |
Change https://go.dev/cl/469056 mentions this issue: |
This only adds new tests. A follow-up commit will change behavior. Updates golang/go#58246 Change-Id: I6adf5941d5cfd3c28f7b9328882ac280109ee028 Reviewed-on: https://go-review.googlesource.com/c/net/+/469055 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Nigel Tao <nigeltao@golang.org> Reviewed-by: Kunpei Sakai <namusyaka@gmail.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Bryan Mills <bcmills@google.com>
Hi,
We're rendering HTML emails in Go. We're using github.com/aymerick/douceur to do CSS inlining / HTML sanitization, which in turn uses
golang.org/x/net/html
package under the hood.Recently, after upgrading
x/net
package, we have noticed that our HTML emails broke in certain email clients, ie. Windows / Microsoft Outlook, and rendered as a blank page.We're using some Outlook-specific conditional comments in the HTML of our emails:
Example:
However, after this commit (#48237), the content of the HTML comments changed and is now being escaped:
Emails are hard and it's quite normal to rely on these special
<!--[if mso]>
HTML comments to support Microsoft Outlook properly. See Targeting specific Outlook versions.Questions:
Thank you for your input.
Best,
Vojtech
The text was updated successfully, but these errors were encountered: