From 7b4377ad9d8a7205416df8d6217ef2b010f89481 Mon Sep 17 00:00:00 2001
From: Taras Madan <tarasmadan@google.com>
Date: Wed, 22 Jan 2025 16:07:17 +0100
Subject: vendor: delete

---
 .../github.com/google/safehtml/template/error.go   | 280 ---------------------
 1 file changed, 280 deletions(-)
 delete mode 100644 vendor/github.com/google/safehtml/template/error.go

(limited to 'vendor/github.com/google/safehtml/template/error.go')

diff --git a/vendor/github.com/google/safehtml/template/error.go b/vendor/github.com/google/safehtml/template/error.go
deleted file mode 100644
index fe7821433..000000000
--- a/vendor/github.com/google/safehtml/template/error.go
+++ /dev/null
@@ -1,280 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package template
-
-import (
-	"fmt"
-	"text/template/parse"
-)
-
-// Error describes a problem encountered during template Escaping.
-type Error struct {
-	// ErrorCode describes the kind of error.
-	ErrorCode ErrorCode
-	// Node is the node that caused the problem, if known.
-	// If not nil, it overrides Name and Line.
-	Node parse.Node
-	// Name is the name of the template in which the error was encountered.
-	Name string
-	// Line is the line number of the error in the template source or 0.
-	Line int
-	// Description is a human-readable description of the problem.
-	Description string
-}
-
-// ErrorCode is a code for a kind of error.
-type ErrorCode int
-
-// We define codes for each error that manifests while escaping templates, but
-// escaped templates may also fail at runtime.
-//
-// Output: "ZgotmplZ"
-// Example:
-//   <img src="{{.X}}">
-//   where {{.X}} evaluates to `javascript:...`
-// Discussion:
-//   "ZgotmplZ" is a special value that indicates that unsafe content reached a
-//   CSS or URL context at runtime. The output of the example will be
-//     <img src="#ZgotmplZ">
-//   If the data comes from a trusted source, use content types to exempt it
-//   from filtering: URL(`javascript:...`).
-const (
-	// OK indicates the lack of an error.
-	OK ErrorCode = iota
-
-	// ErrAmbigContext: "... appears in an ambiguous context within a URL"
-	// Example:
-	//   <a href="
-	//      {{if .C}}
-	//        /path/
-	//      {{else}}
-	//        /search?q=
-	//      {{end}}
-	//      {{.X}}
-	//   ">
-	// Discussion:
-	//   {{.X}} is in an ambiguous URL context since, depending on {{.C}},
-	//  it may be either a URL suffix or a query parameter.
-	//   Moving {{.X}} into the condition removes the ambiguity:
-	//   <a href="{{if .C}}/path/{{.X}}{{else}}/search?q={{.X}}">
-	ErrAmbigContext
-
-	// ErrBadHTML: "expected space, attr name, or end of tag, but got ...",
-	//   "... in unquoted attr", "... in attribute name"
-	// Example:
-	//   <a href = /search?q=foo>
-	//   <href=foo>
-	//   <form na<e=...>
-	//   <option selected<
-	// Discussion:
-	//   This is often due to a typo in an HTML element, but some runes
-	//   are banned in tag names, attribute names, and unquoted attribute
-	//   values because they can tickle parser ambiguities.
-	//   Quoting all attributes is the best policy.
-	ErrBadHTML
-
-	// ErrBranchEnd: "{{if}} branches end in different contexts"
-	// Example:
-	//   {{if .C}}<a href="{{end}}{{.X}}
-	// Discussion:
-	//   Package html/template statically examines each path through an
-	//   {{if}}, {{range}}, or {{with}} to escape any following pipelines.
-	//   The example is ambiguous since {{.X}} might be an HTML text node,
-	//   or a URL prefix in an HTML attribute. The context of {{.X}} is
-	//   used to figure out how to escape it, but that context depends on
-	//   the run-time value of {{.C}} which is not statically known.
-	//
-	//   The problem is usually something like missing quotes or angle
-	//   brackets, or can be avoided by refactoring to put the two contexts
-	//   into different branches of an if, range or with. If the problem
-	//   is in a {{range}} over a collection that should never be empty,
-	//   adding a dummy {{else}} can help.
-	ErrBranchEnd
-
-	// ErrEndContext: "... ends in a non-text context: ..."
-	// Examples:
-	//   <div
-	//   <div title="no close quote>
-	//   <script>f()
-	// Discussion:
-	//   Executed templates should produce a DocumentFragment of HTML.
-	//   Templates that end without closing tags will trigger this error.
-	//   Templates that should not be used in an HTML context or that
-	//   produce incomplete Fragments should not be executed directly.
-	//
-	//   {{define "main"}} <script>{{template "helper"}}</script> {{end}}
-	//   {{define "helper"}} document.write(' <div title=" ') {{end}}
-	//
-	//   "helper" does not produce a valid document fragment, so should
-	//   not be Executed directly.
-	ErrEndContext
-
-	// ErrNoSuchTemplate: "no such template ..."
-	// Examples:
-	//   {{define "main"}}<div {{template "attrs"}}>{{end}}
-	//   {{define "attrs"}}href="{{.URL}}"{{end}}
-	// Discussion:
-	//   Package html/template looks through template calls to compute the
-	//   context.
-	//   Here the {{.URL}} in "attrs" must be treated as a URL when called
-	//   from "main", but you will get this error if "attrs" is not defined
-	//   when "main" is parsed.
-	ErrNoSuchTemplate
-
-	// ErrOutputContext: "cannot compute output context for template ..."
-	// Examples:
-	//   {{define "t"}}{{if .T}}{{template "t" .T}}{{end}}{{.H}}",{{end}}
-	// Discussion:
-	//   A recursive template does not end in the same context in which it
-	//   starts, and a reliable output context cannot be computed.
-	//   Look for typos in the named template.
-	//   If the template should not be called in the named start context,
-	//   look for calls to that template in unexpected contexts.
-	//   Maybe refactor recursive templates to not be recursive.
-	ErrOutputContext
-
-	// ErrPartialCharset: "unfinished JS regexp charset in ..."
-	// Example:
-	//     <script>var pattern = /foo[{{.Chars}}]/</script>
-	// Discussion:
-	//   Package html/template does not support interpolation into regular
-	//   expression literal character sets.
-	ErrPartialCharset
-
-	// ErrPartialEscape: "unfinished escape sequence in ..."
-	// Example:
-	//   <script>alert("\{{.X}}")</script>
-	// Discussion:
-	//   Package html/template does not support actions following a
-	//   backslash.
-	//   This is usually an error and there are better solutions; for
-	//   example
-	//     <script>alert("{{.X}}")</script>
-	//   should work, and if {{.X}} is a partial escape sequence such as
-	//   "xA0", mark the whole sequence as safe content: JSStr(`\xA0`)
-	ErrPartialEscape
-
-	// ErrRangeLoopReentry: "on range loop re-entry: ..."
-	// Example:
-	//   <script>var x = [{{range .}}'{{.}},{{end}}]</script>
-	// Discussion:
-	//   If an iteration through a range would cause it to end in a
-	//   different context than an earlier pass, there is no single context.
-	//   In the example, there is missing a quote, so it is not clear
-	//   whether {{.}} is meant to be inside a JS string or in a JS value
-	//   context. The second iteration would produce something like
-	//
-	//     <script>var x = ['firstValue,'secondValue]</script>
-	ErrRangeLoopReentry
-
-	// ErrSlashAmbig: '/' could start a division or regexp.
-	// Example:
-	//   <script>
-	//     {{if .C}}var x = 1{{end}}
-	//     /-{{.N}}/i.test(x) ? doThis : doThat();
-	//   </script>
-	// Discussion:
-	//   The example above could produce `var x = 1/-2/i.test(s)...`
-	//   in which the first '/' is a mathematical division operator or it
-	//   could produce `/-2/i.test(s)` in which the first '/' starts a
-	//   regexp literal.
-	//   Look for missing semicolons inside branches, and maybe add
-	//   parentheses to make it clear which interpretation you intend.
-	ErrSlashAmbig
-
-	// ErrPredefinedEscaper: "predefined escaper ... disallowed in template"
-	// Example:
-	//   <div class={{. | html}}>Hello<div>
-	// Discussion:
-	//   Package html/template already contextually escapes all pipelines to
-	//   produce HTML output safe against code injection. Manually escaping
-	//   pipeline output using the predefined escapers "html" or "urlquery" is
-	//   unnecessary, and may affect the correctness or safety of the escaped
-	//   pipeline output in Go 1.8 and earlier.
-	//
-	//   In most cases, such as the given example, this error can be resolved by
-	//   simply removing the predefined escaper from the pipeline and letting the
-	//   contextual autoescaper handle the escaping of the pipeline. In other
-	//   instances, where the predefined escaper occurs in the middle of a
-	//   pipeline where subsequent commands expect escaped input, e.g.
-	//     {{.X | html | makeALink}}
-	//   where makeALink does
-	//     return `<a href="`+input+`">link</a>`
-	//   consider refactoring the surrounding template to make use of the
-	//   contextual autoescaper, i.e.
-	//     <a href="{{.X}}">link</a>
-	//
-	//   To ease migration to Go 1.9 and beyond, "html" and "urlquery" will
-	//   continue to be allowed as the last command in a pipeline. However, if the
-	//   pipeline occurs in an unquoted attribute value context, "html" is
-	//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.
-	ErrPredefinedEscaper
-
-	// ErrEscapeAction: "cannot escape action ..."
-	// Discussion:
-	//   Error returned while escaping an action using EscaperForContext.
-	//   Refer to error message for more details.
-	// TODO: remove this error type and replace it with more informative sanitization errors.
-	ErrEscapeAction
-
-	// ErrCSPCompatibility: `"javascript:" URI disallowed for CSP compatibility`,
-	//   "inline event handler ... is disallowed for CSP compatibility
-	// Examples:
-	//   <span onclick="doThings();">A thing.</span>
-	//   <a href="javascript:linkClicked()">foo</a>
-	// Discussion:
-	//   Inline event handlers (onclick="...", onerror="...") and
-	//   <a href="javascript:..."> links can be used to run scripts,
-	//   so an attacker who finds an XSS bug could inject such HTML
-	//   and execute malicious JavaScript. These patterns must be
-	//   refactored into safer alternatives for compatibility with
-	//   Content Security Policy (CSP).
-	//
-	//   For example, the following HTML that contains an inline event handler:
-	//     <script> function doThings() { ... } </script>
-	//     <span onclick="doThings();">A thing.</span>
-	//   can be refactored into:
-	//     <span id="things">A thing.</span>
-	//     <script nonce="${nonce}">
-	//     document.addEventListener('DOMContentLoaded', function () {
-	//       document.getElementById('things')
-	//               .addEventListener('click', function doThings() { ... });
-	//     });
-	//     </script>
-	//
-	//   Likewise, the following HTML containng a javascript: URI:
-	//     <a href="javascript:linkClicked()">foo</a>
-	//   can be refactored into:
-	//     <a id="foo">foo</a>
-	//     <script nonce="${nonce}">
-	//     document.addEventListener('DOMContentLoaded', function () {
-	//       document.getElementById('foo')
-	//               .addEventListener('click', linkClicked);
-	//     });
-	//     </script>
-	ErrCSPCompatibility
-	// All JS templates inside script literals have to be balanced; otherwise a concatenation such as
-	// <script>alert(`x{{.data}}`</script> can contain XSS if data contains user-controlled escaped strings (e.g. as JSON).
-	ErrUnbalancedJsTemplate
-)
-
-func (e *Error) Error() string {
-	switch {
-	case e.Node != nil:
-		loc, _ := (*parse.Tree)(nil).ErrorContext(e.Node)
-		return fmt.Sprintf("html/template:%s: %s", loc, e.Description)
-	case e.Line != 0:
-		return fmt.Sprintf("html/template:%s:%d: %s", e.Name, e.Line, e.Description)
-	case e.Name != "":
-		return fmt.Sprintf("html/template:%s: %s", e.Name, e.Description)
-	}
-	return "html/template: " + e.Description
-}
-
-// errorf creates an error given a format string f and args.
-// The template Name still needs to be supplied.
-func errorf(k ErrorCode, node parse.Node, line int, f string, args ...interface{}) *Error {
-	return &Error{k, node, "", line, fmt.Sprintf(f, args...)}
-}
-- 
cgit mrf-deployment