Giters

valyala / quicktemplate

Fast, powerful, yet easy to use template engine for Go. Optimized for speed, zero memory allocations in hot paths. Up to 20x faster than html/template

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

HTML Encoding happens even when equal signs are being used to turn off encoding

marcsantiago opened this issue · comments

commented

The code seems to still encode html entities even when specifying escaping should not happen with the equal sign ({%s= text %}). It seems the issue is with the file below and it ignoring that encoding should be ignored and is forcing encoding on these characters <, >, ", \, &

https://github.com/timehop/nimbus/blob/1127cdc80453fe87ff9a1c33a48114e995f14bb9/vendor/github.com/valyala/quicktemplate/htmlescapewriter.go#L12

The Go standard html/template does this correctly. When you specify a string as template.HTML it does encode ampersands or any other html entity as we've explicitly turn that off.

Whereas with quicktemplate {%s= text %} works for everything but <, >, ", \, &

package main

import (
	"fmt"
	"html/template"
	"log"
	"os"
)

func main() {
	check := func(err error) {
		if err != nil {
			log.Fatal(err)
		}
	}

	markup := `<img src="foobar.com?key=value&key2=value2&key3=value3">`
	t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
	check(err)

	// with HTML encoding e.g & -> &amp;
	err = t.ExecuteTemplate(os.Stdout, "T", markup)
	check(err)
	fmt.Printf("\n\n")
	// without HTML encoding & -> &
	err = t.ExecuteTemplate(os.Stdout, "T", template.HTML(markup))
        check(err)
}

Screen Shot 2021-06-11 at 12 32 29 PM

commented

Closing, this is my mistake