You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My suggestion is: could we add serveral helper functions to html/template to help convert string to types like template.JS, template.HTML, template.CSS and etc.? this would make the package much easier to use.
The text was updated successfully, but these errors were encountered:
You're asking for a magic override to say "I am sure this is JavaScript, just stuff it here please". This package used to provide a builtin called "noescape" that basically did this, but we decided it was too dangerous, that it made it too easy for people to write unsafe templates, to bypass the template system instead of working with it. This was removed as #3528.
The cost of having to write something like ToJS is intentional here. Hopefully at the same time you will read the docs for JS and think about the security implications.
Specifically:
Use of this type presents a security risk: the encapsulated content should
come from a trusted source, as it will be included verbatim in the template
output.
Using JS to include valid but untrusted JSON is not safe. A safe alternative
is to parse the JSON with json.Unmarshal and then pass the resultant object
into the template, where it will be converted to sanitized JSON when
presented in a JavaScript context.
I have a template like below
where
.Config
is a json string like{"a":123,"b":"333"}
, but because the type of.Config
isstring
, the result becomes:Because I don't own the code., I cannot change the type of
.Config
totemplate.JS
, so I add a functionToJS
to fix the issue:and changed my template to:
My suggestion is: could we add serveral helper functions to
html/template
to help convertstring
to types liketemplate.JS
,template.HTML
,template.CSS
and etc.? this would make the package much easier to use.The text was updated successfully, but these errors were encountered: