--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SGTMYou should also update the docs onwith a pointer to the better way.
> To better prepare users for upcoming improvements to inlining
Sorry this is slightly off the topic of this thread, but are you referring to mid-stack inlining? I thought that was targeted for 1.9? (Though looking at the release notes I see no mention of it, now.)
Okay. I'll send something once I figure out where to put it in the document. :)On Thu, Jul 6, 2017 at 11:52 AM, Brad Fitzpatrick <brad...@golang.org> wrote:SGTMYou should also update the docs onwith a pointer to the better way.This is documented at https://tip.golang.org/pkg/runtime/#Callers, since that's the entry point to trouble. I suppose FuncForPC could say what happens if there are multiple inlined frames at pc...
On Thu, Jul 6, 2017 at 8:47 AM, Austin Clements <aus...@google.com> wrote:
To better prepare users for upcoming improvements to inlining, should the release notes more prominently encourage using runtime.CallersFrames instead of directly inspecting the slice returned by runtime.Callers? CallersFrames has been available for a few releases now, but we've never been very loud about using it.
On Thu, Jul 6, 2017 at 10:33 AM, Brad Fitzpatrick <brad...@golang.org> wrote:
Please do a final read of the Go 1.9 release notes:
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+unsubscribe@googlegroups.com.
NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers.
IMHO the Go 1.9 release notes should prominently mention that the html/template changes are backward-incompatible.
The package now reports an error if a predefined escaper (one of "html", "urlquery" and "js") is found in a pipeline and does not match what the auto-escaper would have decided on its own. This avoids certain security or correctness issues. Now use of one of these escapers is always either a no-op or an error. (The no-op case eases migration from text/template.)
IMHO the Go 1.9 release notes should prominently mention that the html/template changes are backward-incompatible.Ack, this is probably a good idea.
On Thursday, August 10, 2017 at 8:47:58 AM UTC-7, Karsten Weiss wrote:IMHO the Go 1.9 release notes should prominently mention that the html/template changes are backward-incompatible. Quoting one of the html/template commit messages:NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers.
E.g. I found the following regression testing Prometheus v1.7.1 compiled with go1.9rc2:
Issue #3046 : targets.html: predefined escaper "html" disallowed in template (with go1.9rc2)
(Sorry, I can't send a patch myself this time.)
--
The difference is that the commit you found suggests they're taken out entirely, and they're not. They're rejected where they're incorrect and unsafe.