stream_str.go 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372
  1. package jsoniter
  2. import (
  3. "unicode/utf8"
  4. )
  5. // htmlSafeSet holds the value true if the ASCII character with the given
  6. // array position can be safely represented inside a JSON string, embedded
  7. // inside of HTML <script> tags, without any additional escaping.
  8. //
  9. // All values are true except for the ASCII control characters (0-31), the
  10. // double quote ("), the backslash character ("\"), HTML opening and closing
  11. // tags ("<" and ">"), and the ampersand ("&").
  12. var htmlSafeSet = [utf8.RuneSelf]bool{
  13. ' ': true,
  14. '!': true,
  15. '"': false,
  16. '#': true,
  17. '$': true,
  18. '%': true,
  19. '&': false,
  20. '\'': true,
  21. '(': true,
  22. ')': true,
  23. '*': true,
  24. '+': true,
  25. ',': true,
  26. '-': true,
  27. '.': true,
  28. '/': true,
  29. '0': true,
  30. '1': true,
  31. '2': true,
  32. '3': true,
  33. '4': true,
  34. '5': true,
  35. '6': true,
  36. '7': true,
  37. '8': true,
  38. '9': true,
  39. ':': true,
  40. ';': true,
  41. '<': false,
  42. '=': true,
  43. '>': false,
  44. '?': true,
  45. '@': true,
  46. 'A': true,
  47. 'B': true,
  48. 'C': true,
  49. 'D': true,
  50. 'E': true,
  51. 'F': true,
  52. 'G': true,
  53. 'H': true,
  54. 'I': true,
  55. 'J': true,
  56. 'K': true,
  57. 'L': true,
  58. 'M': true,
  59. 'N': true,
  60. 'O': true,
  61. 'P': true,
  62. 'Q': true,
  63. 'R': true,
  64. 'S': true,
  65. 'T': true,
  66. 'U': true,
  67. 'V': true,
  68. 'W': true,
  69. 'X': true,
  70. 'Y': true,
  71. 'Z': true,
  72. '[': true,
  73. '\\': false,
  74. ']': true,
  75. '^': true,
  76. '_': true,
  77. '`': true,
  78. 'a': true,
  79. 'b': true,
  80. 'c': true,
  81. 'd': true,
  82. 'e': true,
  83. 'f': true,
  84. 'g': true,
  85. 'h': true,
  86. 'i': true,
  87. 'j': true,
  88. 'k': true,
  89. 'l': true,
  90. 'm': true,
  91. 'n': true,
  92. 'o': true,
  93. 'p': true,
  94. 'q': true,
  95. 'r': true,
  96. 's': true,
  97. 't': true,
  98. 'u': true,
  99. 'v': true,
  100. 'w': true,
  101. 'x': true,
  102. 'y': true,
  103. 'z': true,
  104. '{': true,
  105. '|': true,
  106. '}': true,
  107. '~': true,
  108. '\u007f': true,
  109. }
  110. // safeSet holds the value true if the ASCII character with the given array
  111. // position can be represented inside a JSON string without any further
  112. // escaping.
  113. //
  114. // All values are true except for the ASCII control characters (0-31), the
  115. // double quote ("), and the backslash character ("\").
  116. var safeSet = [utf8.RuneSelf]bool{
  117. ' ': true,
  118. '!': true,
  119. '"': false,
  120. '#': true,
  121. '$': true,
  122. '%': true,
  123. '&': true,
  124. '\'': true,
  125. '(': true,
  126. ')': true,
  127. '*': true,
  128. '+': true,
  129. ',': true,
  130. '-': true,
  131. '.': true,
  132. '/': true,
  133. '0': true,
  134. '1': true,
  135. '2': true,
  136. '3': true,
  137. '4': true,
  138. '5': true,
  139. '6': true,
  140. '7': true,
  141. '8': true,
  142. '9': true,
  143. ':': true,
  144. ';': true,
  145. '<': true,
  146. '=': true,
  147. '>': true,
  148. '?': true,
  149. '@': true,
  150. 'A': true,
  151. 'B': true,
  152. 'C': true,
  153. 'D': true,
  154. 'E': true,
  155. 'F': true,
  156. 'G': true,
  157. 'H': true,
  158. 'I': true,
  159. 'J': true,
  160. 'K': true,
  161. 'L': true,
  162. 'M': true,
  163. 'N': true,
  164. 'O': true,
  165. 'P': true,
  166. 'Q': true,
  167. 'R': true,
  168. 'S': true,
  169. 'T': true,
  170. 'U': true,
  171. 'V': true,
  172. 'W': true,
  173. 'X': true,
  174. 'Y': true,
  175. 'Z': true,
  176. '[': true,
  177. '\\': false,
  178. ']': true,
  179. '^': true,
  180. '_': true,
  181. '`': true,
  182. 'a': true,
  183. 'b': true,
  184. 'c': true,
  185. 'd': true,
  186. 'e': true,
  187. 'f': true,
  188. 'g': true,
  189. 'h': true,
  190. 'i': true,
  191. 'j': true,
  192. 'k': true,
  193. 'l': true,
  194. 'm': true,
  195. 'n': true,
  196. 'o': true,
  197. 'p': true,
  198. 'q': true,
  199. 'r': true,
  200. 's': true,
  201. 't': true,
  202. 'u': true,
  203. 'v': true,
  204. 'w': true,
  205. 'x': true,
  206. 'y': true,
  207. 'z': true,
  208. '{': true,
  209. '|': true,
  210. '}': true,
  211. '~': true,
  212. '\u007f': true,
  213. }
  214. var hex = "0123456789abcdef"
  215. // WriteStringWithHTMLEscaped write string to stream with html special characters escaped
  216. func (stream *Stream) WriteStringWithHTMLEscaped(s string) {
  217. valLen := len(s)
  218. stream.buf = append(stream.buf, '"')
  219. // write string, the fast path, without utf8 and escape support
  220. i := 0
  221. for ; i < valLen; i++ {
  222. c := s[i]
  223. if c < utf8.RuneSelf && htmlSafeSet[c] {
  224. stream.buf = append(stream.buf, c)
  225. } else {
  226. break
  227. }
  228. }
  229. if i == valLen {
  230. stream.buf = append(stream.buf, '"')
  231. return
  232. }
  233. writeStringSlowPathWithHTMLEscaped(stream, i, s, valLen)
  234. }
  235. func writeStringSlowPathWithHTMLEscaped(stream *Stream, i int, s string, valLen int) {
  236. start := i
  237. // for the remaining parts, we process them char by char
  238. for i < valLen {
  239. if b := s[i]; b < utf8.RuneSelf {
  240. if htmlSafeSet[b] {
  241. i++
  242. continue
  243. }
  244. if start < i {
  245. stream.WriteRaw(s[start:i])
  246. }
  247. switch b {
  248. case '\\', '"':
  249. stream.writeTwoBytes('\\', b)
  250. case '\n':
  251. stream.writeTwoBytes('\\', 'n')
  252. case '\r':
  253. stream.writeTwoBytes('\\', 'r')
  254. case '\t':
  255. stream.writeTwoBytes('\\', 't')
  256. default:
  257. // This encodes bytes < 0x20 except for \t, \n and \r.
  258. // If escapeHTML is set, it also escapes <, >, and &
  259. // because they can lead to security holes when
  260. // user-controlled strings are rendered into JSON
  261. // and served to some browsers.
  262. stream.WriteRaw(`\u00`)
  263. stream.writeTwoBytes(hex[b>>4], hex[b&0xF])
  264. }
  265. i++
  266. start = i
  267. continue
  268. }
  269. c, size := utf8.DecodeRuneInString(s[i:])
  270. if c == utf8.RuneError && size == 1 {
  271. if start < i {
  272. stream.WriteRaw(s[start:i])
  273. }
  274. stream.WriteRaw(`\ufffd`)
  275. i++
  276. start = i
  277. continue
  278. }
  279. // U+2028 is LINE SEPARATOR.
  280. // U+2029 is PARAGRAPH SEPARATOR.
  281. // They are both technically valid characters in JSON strings,
  282. // but don't work in JSONP, which has to be evaluated as JavaScript,
  283. // and can lead to security holes there. It is valid JSON to
  284. // escape them, so we do so unconditionally.
  285. // See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
  286. if c == '\u2028' || c == '\u2029' {
  287. if start < i {
  288. stream.WriteRaw(s[start:i])
  289. }
  290. stream.WriteRaw(`\u202`)
  291. stream.writeByte(hex[c&0xF])
  292. i += size
  293. start = i
  294. continue
  295. }
  296. i += size
  297. }
  298. if start < len(s) {
  299. stream.WriteRaw(s[start:])
  300. }
  301. stream.writeByte('"')
  302. }
  303. // WriteString write string to stream without html escape
  304. func (stream *Stream) WriteString(s string) {
  305. valLen := len(s)
  306. stream.buf = append(stream.buf, '"')
  307. // write string, the fast path, without utf8 and escape support
  308. i := 0
  309. for ; i < valLen; i++ {
  310. c := s[i]
  311. if c > 31 && c != '"' && c != '\\' {
  312. stream.buf = append(stream.buf, c)
  313. } else {
  314. break
  315. }
  316. }
  317. if i == valLen {
  318. stream.buf = append(stream.buf, '"')
  319. return
  320. }
  321. writeStringSlowPath(stream, i, s, valLen)
  322. }
  323. func writeStringSlowPath(stream *Stream, i int, s string, valLen int) {
  324. start := i
  325. // for the remaining parts, we process them char by char
  326. for i < valLen {
  327. if b := s[i]; b < utf8.RuneSelf {
  328. if safeSet[b] {
  329. i++
  330. continue
  331. }
  332. if start < i {
  333. stream.WriteRaw(s[start:i])
  334. }
  335. switch b {
  336. case '\\', '"':
  337. stream.writeTwoBytes('\\', b)
  338. case '\n':
  339. stream.writeTwoBytes('\\', 'n')
  340. case '\r':
  341. stream.writeTwoBytes('\\', 'r')
  342. case '\t':
  343. stream.writeTwoBytes('\\', 't')
  344. default:
  345. // This encodes bytes < 0x20 except for \t, \n and \r.
  346. // If escapeHTML is set, it also escapes <, >, and &
  347. // because they can lead to security holes when
  348. // user-controlled strings are rendered into JSON
  349. // and served to some browsers.
  350. stream.WriteRaw(`\u00`)
  351. stream.writeTwoBytes(hex[b>>4], hex[b&0xF])
  352. }
  353. i++
  354. start = i
  355. continue
  356. }
  357. i++
  358. continue
  359. }
  360. if start < len(s) {
  361. stream.WriteRaw(s[start:])
  362. }
  363. stream.writeByte('"')
  364. }