* Ian Davis <m...@iandavis.com> [161111 06:04]:
> On Fri, Nov 11, 2016, at 09:21 AM, Marvin Renich wrote:
>
> > the Execute method escapes the first character ('<' in "<?xml") to be
> > "<". This seems wrong to me, both logically and according to the
> > documentation, which states in the fourth paragraph under Overview for
> > text/template:
> >
> > all text outside actions is copied to the output unchanged.
> >
> > Templates are assumed to be written by trusted authors, and don't need
> > sanitizing; only the substitution data needs escaping.
> >
> > I don't have a github account. If nobody disagrees that this is a bug,
> > will someone please file an issue?
>
>
> html/template is only designed for use with html output. It understands
> the html model and sanitizes the template according to the those rules.
> You'll need to use text/template for xml.
While I understand that the html/template package is intended for html,
much of the escaping it does is appropriate for certain classes of xml
(including rss.xml, which is my particular use case atm).
My issue is that the documentation explicitly says that text outside of
actions are copied verbatim, and this is the only reasonable behavior, in
my opinion. The template author has control of, and is responsible for,
the content of the template. Trying to "fix" his/her mistakes is wrong.
Only the contents of the data should have any sanitizing performed on
it.
The current behavior contradicts the explicitly stated security model:
This package assumes that template authors are trusted, that Execute's
data parameter is not, and seeks to preserve the properties below in
the face of untrusted data
and two paragraphs later:
"... only code specified by the template author should run as a result
of injecting the template output into a page and all code specified by
^^^
the template author should run as a result of the same."
With the data, the program author can explicitly override the
sanitization by casting a string to template.HTML. Neither the program
author nor the template author can prevent Execute from changing the
text outside of actions when it shouldn't (without significant extra
kludges).
...Marvin
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
