html: use strings.EqualFold instead of lowering ourselves

rolandshoemaker · gopherbot · commit 8e66b04771e3 · 2024-12-18T11:24:30.000-08:00
Instead of using strings.ToLower and == to check case insensitive equality, just use strings.EqualFold, even when the strings are only ASCII. This prevents us unnecessarily lowering extremely long strings, which can be a somewhat expensive operation, even if we're only attempting to compare equality with five characters. Thanks to Guido Vranken for reporting this issue. Fixes golang/go#70906 Fixes CVE-2024-45338 Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/html/doctype.go b/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
 			}
 		}
 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
 			quirks = true
 		}
 	}
diff --git a/html/foreign.go b/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
 		if n.Data == "annotation-xml" {
 			for _, a := range n.Attr {
 				if a.Key == "encoding" {
-					val := strings.ToLower(a.Val)
-					if val == "text/html" || val == "application/xhtml+xml" {
+					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
 						return true
 					}
 				}
diff --git a/html/parse.go b/html/parse.go
@@ -1035,7 +1035,7 @@ func inBodyIM(p *parser) bool {
 			if p.tok.DataAtom == a.Input {
 				for _, t := range p.tok.Attr {
 					if t.Key == "type" {
-						if strings.ToLower(t.Val) == "hidden" {
+						if strings.EqualFold(t.Val, "hidden") {
 							// Skip setting framesetOK = false
 							return true
 						}
@@ -1463,7 +1463,7 @@ func inTableIM(p *parser) bool {
 			return inHeadIM(p)
 		case a.Input:
 			for _, t := range p.tok.Attr {
-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
 					p.addElement()
 					p.oe.pop()
 					return true

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`	`if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&`
`90`		`- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {`
	`90`	`+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {`
`91`	`91`	`quirks = true`
`92`	`92`	`}`
`93`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {`
`40`	`40`	`if n.Data == "annotation-xml" {`
`41`	`41`	`for _, a := range n.Attr {`
`42`	`42`	`if a.Key == "encoding" {`
`43`		`- val := strings.ToLower(a.Val)`
`44`		`- if val == "text/html" \|\| val == "application/xhtml+xml" {`
	`43`	`+ if strings.EqualFold(a.Val, "text/html") \|\| strings.EqualFold(a.Val, "application/xhtml+xml") {`
`45`	`44`	`return true`
`46`	`45`	`}`
`47`	`46`	`}`