Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: add helper functions for type conversion #16058

Closed
localvar opened this issue Jun 14, 2016 · 3 comments
Closed

html/template: add helper functions for type conversion #16058

localvar opened this issue Jun 14, 2016 · 3 comments
Labels
FrozenDueToAge
Milestone
Unplanned

Comments

@localvar
Copy link

I have a template like below

...
<script>
    var opts = {{.Config}};
</script>
...

where .Config is a json string like {"a":123,"b":"333"}, but because the type of .Config is string, the result becomes:

...
<script>
    var opts = "{\"a\":123,\"b\":\"333\"}";
</script>
...

Because I don't own the code., I cannot change the type of .Config to template.JS, so I add a function ToJS to fix the issue:

tpl.Funcs(template.FuncMap{
        "ToJS": func(v string) template.JS {
            return template.JS(v)
        },
    })

and changed my template to:

...
<script>
    var opts = {{ToJS .Config}};
</script>
...

My suggestion is: could we add serveral helper functions to html/template to help convert string to types like template.JS, template.HTML, template.CSS and etc.? this would make the package much easier to use.
@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Jun 14, 2016
@rsc
Copy link
Contributor

rsc commented Oct 19, 2016

You're asking for a magic override to say "I am sure this is JavaScript, just stuff it here please". This package used to provide a builtin called "noescape" that basically did this, but we decided it was too dangerous, that it made it too easy for people to write unsafe templates, to bypass the template system instead of working with it. This was removed as #3528.

The cost of having to write something like ToJS is intentional here. Hopefully at the same time you will read the docs for JS and think about the security implications.

Specifically:

Use of this type presents a security risk: the encapsulated content should
come from a trusted source, as it will be included verbatim in the template
output.

Using JS to include valid but untrusted JSON is not safe. A safe alternative
is to parse the JSON with json.Unmarshal and then pass the resultant object
into the template, where it will be converted to sanitized JSON when
presented in a JavaScript context.

/cc @mikesamuel

@rsc rsc closed this as completed Oct 19, 2016
@mikesamuel
Copy link
Contributor

Can .Config not be passed as a value of type JS

@mikesamuel
Copy link
Contributor

OK. I see the ownership issue. I agree that adding such functions is a bad idea.

@golang golang locked and limited conversation to collaborators Oct 20, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@rsc @mikesamuel @localvar @ianlancetaylor @gopherbot