Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: remove noescape support #3528

Closed
rsc opened this issue Apr 13, 2012 · 12 comments
Closed

html/template: remove noescape support #3528

rsc opened this issue Apr 13, 2012 · 12 comments
Labels
FrozenDueToAge
Milestone
Go1.1

Comments

@rsc
Copy link
Contributor

rsc commented Apr 13, 2012 

There is some magic surrounding functions named "noescape" in html/template.
This should be cleaned up and documented, or else removed.
I would prefer documenting it, since it is useful.
@rsc
Copy link
Contributor Author

rsc commented Apr 13, 2012

Comment 1:

Also, how do you avoid query parameter escaping without 'noescape'.  Does the URL type
work for that?  If so, that should be documented.  If not, there should be a type that
does.

@gopherbot
Copy link

Comment 2 by mikesamuel:

> Also, how do you avoid query parameter escaping without 'noescape'.
The URL type
(http://code.google.com/p/go/source/browse/src/pkg/html/template/content.go#55) will
pass through query parameter escaping unchanged.
Relevant testcases:
 * http://code.google.com/p/go/source/browse/src/pkg/html/template/content_test.go#186
 * http://code.google.com/p/go/source/browse/src/pkg/html/template/content_test.go#199
The documentation for content types is pretty sparse since a full treatment was deemed
overkill.  The relevant docs are
http://code.google.com/p/go/source/browse/src/pkg/html/template/doc.go#145
> Types HTML, JS, URL, and others from content.go can carry safe content that is
> exempted from escaping.

@rsc
Copy link
Contributor Author

rsc commented Apr 17, 2012

Comment 3:

I suggest to revise the type doc for URL from saying
    URL encapsulates a known safe URL as defined in RFC 3896.
to saying
    URL encapsulates a known safe URL as defined in RFC 3896 or a URL substring.

@gopherbot
Copy link

Comment 4 by salviati.gnu:

ExecuteTemplate paniced with "function "noescape" not defined" when I tried to used it
like {{noescape .TrustedHTML}}.
Is there any way of directing a trusted code from a template at all?

@minux
Copy link
Member

minux commented Nov 1, 2012

Comment 5:

@salviati.gnu: issue tracker is not for questions like this, you'd
better ask on golang-nuts mailing list.
you can use template.HTML type for known safe strings.

@rsc
Copy link
Contributor Author

rsc commented Dec 9, 2012

Comment 6:

I made the doc change from comment #3. That leaves the question: document noescape and
add a function with that name by default, or remove the support for it.
@mikesamuel, any opinion?
I lean toward removing it.

@rsc
Copy link
Contributor Author

rsc commented Dec 10, 2012

Comment 7:

Labels changed: added size-m.

@gopherbot
Copy link

Comment 8 by mikesamuel:

I lean towards removing it too.

@rsc
Copy link
Contributor Author

rsc commented Dec 10, 2012

Comment 9:

Sounds good to me.

@adg
Copy link
Contributor

adg commented Jan 17, 2013

Comment 10:

https://golang.org/cl/7142048

Owner changed to @adg.

Status changed to Started.

@adg
Copy link
Contributor

adg commented Jan 17, 2013

Comment 11:

This issue was closed by revision c022943.

Status changed to Fixed.

@gopherbot
Copy link

Comment 12 by Raincious:

Good work!
Starting from this point, people had to reimplementing it by their own in each of their
application.
Thanks.

@rsc rsc added fixed labels Dec 6, 2014
@rsc rsc assigned adg Dec 6, 2014
@rsc rsc added this to the Go1.1 milestone Apr 14, 2015
@rsc rsc removed the go1.1 label Apr 14, 2015
rsc added a commit that referenced this issue May 11, 2015
@rsc
[release-branch.go1] html/template: fix URL doc
717f1d6 
««« backport fead9e11a489
html/template: fix URL doc

This is the easy part of issue 3528.
(What to do about "noescape" is the hard part, left open.)

Update #3528.

R=mikesamuel, r, dsymonds
CC=golang-dev
https://golang.org/cl/6493113

»»»
@golang golang locked and limited conversation to collaborators Jun 24, 2016
@rsc rsc unassigned adg Jun 22, 2022
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.1
Development

No branches or pull requests
4 participants
@rsc @minux @adg @gopherbot