[go-nuts] html/template: create safe func, it won t work with attributes ?

mhhcbon Sat, 12 Nov 2016 10:50:34 -0800

Hi,

Using html/template i need to write an un-escaped value within a node 
attribute.


I m happy to use html/template for the added security layer, 
but here i feel like something is wrong.

There s a template with a safe func
  tmpl = template.New("")
  tmpl.Funcs(map[string]interface{}{
    "safe": func (some string) template.HTML{
      return template.HTML(some)
    },
    "safeattr": func (some string) template.HTMLAttr{
      return template.HTMLAttr(some)
    },
  })

Which parses this template

tmpl.Parse(`
<div 
attr="{{.Some | safe}}"
attr="{{.Some | safeattr}}"
>{{.Some | safe}}</div>

<div 
attr="{{.Some}}"
attr="{{.Some}}"
>{{.Some}}</div>
`)

And execute this data
    s := struct{ Some string }{Some: "rrr <"}
    tmpl.Execute(os.Stdout, s)

The result is this one

<div 
attr="rrr &lt;" 
attr="rrr &lt;" 
>rrr <</div> 

<div 
attr="rrr &lt;" 
attr="rrr &lt;" 
>rrr &lt;</div>

In the first div node, the < character is correctly un-escaped within the 
node content, 
but the attribute is always escaped which is not expected.

See the play here https://play.golang.org/p/djfHUHZnSQ

Can you help ?

thanks

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] html/template: create safe func, it won t work with attributes ?

Reply via email to