html/template: <script> tags with type "text/template" now escapes EJS templates #18569

Open
anthonybishopric opened this Issue Jan 9, 2017 · 4 comments

Projects

None yet

5 participants

@anthonybishopric

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

Go 1.8

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build705350648=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

When emitting an EJS template (interpolation happens through the <%= directive) inside a Golang HTML template, the <%= is escaped to &lt;%=. This does not happen on versions of Go < 1.8. The following play.golang.org link works as expected.

https://play.golang.org/p/BXzy9OWSSq

What did you expect to see?

  <script id="new-key" type="text/template">
      <tr class="api-key">
        <td class="api-key-cell"><%= key %></td>
      </tr>
   </script>

What did you see instead?

  <script id="new-key" type="text/template">
      <tr class="api-key">
        <td class="api-key-cell">&lt;%= key %></td>
      </tr>
   </script>

I'm content with this being a desired security addition to Golang HTML templates, but I wanted to raise this as an issue for existing users who embed Javascript templates into their Golang templates.

@titanous
Member
titanous commented Jan 9, 2017

This appears to have been intentionally implemented in ffd1c78 (https://golang.org/cl/14336) by @rsc

@kennygrant
Contributor
kennygrant commented Jan 12, 2017 edited

One possible workaround is to insert a template data key to insert the script type at evaluation time (tested on 1.8rc1)

https://play.golang.org/p/HbcDfwbXwq

this outputs the html you want without escaping on 1.8rc1.

<td class="api-key-cell"><%= key %></td>

@anthonybishopric

@kennygrant that might be acceptable for smaller projects, but I have a number of these templates and also rely on some amount of template interpolation within them too. Consider:

<script type="text/template" id="form-template">
    <form class="new-form" path="/resource/{{.Id}}">
         <div><%= key %></div>    
    </form>
</script>
@bradfitz bradfitz added this to the Go1.8Maybe milestone Jan 12, 2017
@rsc rsc was assigned by bradfitz Jan 12, 2017
@bradfitz
Member

Assigning to @rsc to decide whether this is an acceptable change/regression for Go 1.8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment