Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
html/template: rewriting html/template files #17933
This is with Go 1.7.
It would be nice if it was easier to rewrite
I'm trying to make it easy to support CSP inline hashing in my templates without nagging users and requiring them to remember to use some custom funcs instead of the usual HTML. It'd also be nice to have form-based CSRF protection which would be implemented in a similar way. I'm sure there are other similar rewrites, but these security-focused ones were the first I've run into.
Both CSP inline hashing and form-based CSRF protection involve a developer adding additional attributes or elements to a template. In the CSP inline hashing case, it's an attribute or nonce added
It would be nice to be able to, at parse time, not execution time, pull apart a
In the form-based CSRF case, the template rewrite would be adding a
One problem is that
A second problem since some of those templates will be called in different escaping contexts, folks using
I haven't found a way to make my templates better without requiring the developer to handle more of what would otherwise be easily automated problems.
I'm not sure, yet, what kind of work it would take to make html/template easier for this purpose. Maybe if
Maybe other folks have clearer ideas.
We can't support expanding html/template's scope in this way. The escaping API is completely unclear, as are the security implications. The text/template/parse package says:
Our suggestion would be to fork html/template and revise the fork as needed.