Don't treat BOM escape sequence as hidden character. (#18909) (#18910)

* Don't treat BOM escape sequence as hidden character. (#18909) Backport #18909
2025-07-22 18:28:37 +00:00 · 2022-02-26 22:15:04 +00:00
parent df35049196
commit 4fb718d405
2 changed files with 27 additions and 5 deletions
--- a/modules/charset/escape.go
+++ b/modules/charset/escape.go
@@ -63,6 +63,7 @@ func EscapeControlBytes(text []byte) (EscapeStatus, []byte) {
 func EscapeControlReader(text io.Reader, output io.Writer) (escaped EscapeStatus, err error) {
 	buf := make([]byte, 4096)
 	readStart := 0
+	runeCount := 0
 	var n int
 	var writePos int

@@ -79,6 +80,8 @@ readingloop:

 		for i < len(bs) {
 			r, size := utf8.DecodeRune(bs[i:])
+			runeCount++
+
 			// Now handle the codepoints
 			switch {
 			case r == utf8.RuneError:
@@ -113,6 +116,8 @@ readingloop:
 				lineHasRTLScript = false
 				lineHasLTRScript = false

+			case runeCount == 1 && r == 0xFEFF: // UTF BOM
+				// the first BOM is safe
 			case r == '\r' || r == '\t' || r == ' ':
 				// These are acceptable control characters and space characters
 			case unicode.IsSpace(r):
@@ -144,7 +149,8 @@ readingloop:
 					return
 				}
 				writePos = i + size
-			case unicode.Is(unicode.C, r):
+			// 65279 == BOM rune.
+			case unicode.Is(unicode.C, r) && r != rune(65279):
 				escaped.Escaped = true
 				escaped.HasControls = true
 				if writePos < i {