-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: html/template: export filters and escapers #70375
Comments
Related Issues
Related Code Changes
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
what exactly are you proposing? things like the html escaper are already public |
They are, but I need other escapers & filters. So basically just renaming of: func (*Template) escape() error -> func (*Template) Escape() error
func attrEscaper(...any) string -> func AttrEscaper(...any) string
func commentEscaper(...any) string -> func CommentEscaper(...any) string
func cssEscaper(...any) string -> func CSSEscaper(...any) string
func cssValueFilter(...any) string -> func CSSValueFilter(...any) string
func htmlNameFilter(...any) string -> func HTMLNameFilter(...any) string
func htmlEscaper(...any) string -> func HTMLEscaper(...any) string
func jsRegexpEscaper(...any) string -> func JSRegexpEscaper(...any) string
func jsStrEscaper(...any) string -> func JSStrEscaper(...any) string
func jsTmplLitEscaper(...any) string -> func JSTmplLitEscaper(...any) string
func jsValEscaper(...any) string -> func JSValEscaper(...any) string
func htmlNospaceEscaper(...any) string -> func HTMLNospaceEscaper(...any) string
func rcdataEscaper(...any) string -> func RCDataEscaper(...any) string
func srcsetFilterAndEscaper(...any) string -> func SrcsetFilterAndEscaper(...any) string
func urlEscaper(...any) string -> func URLEscaper(...any) string
func urlFilter(...any) string -> func URLFilter(...any) string
func urlNormalizer(...any) string -> func URLNormalizer(...any) string to make them available from the outside code solves the issue. |
It seems other packages do fine with implementing their own escapers, it's not clear to me that this is worth expanding the html/template API surface for this? |
The current functions are already well-tested, ready for production, and get all necessary patches, especially sucurity-related. P.S. |
Proposal Details
I try to create a tool to translate text/template and html/template to go source code.
For example:
translates to smth like this:
Go has great escaping mechanism for html, but it's non-published API unfortunately.
From go v1.23 the
//go:linkname
directive is restricted, so it has made some things impossible. Re-implementing the whole escaping mechanism from scratch feels like very bad option.It's possible to enrich the template tree by calling the
html.template
'sExecute
method, and it doesn't matter if it fails or not, cause the current implementation adds additional escapers before the actual execution. This trick works now, but could be broken at any moment, so it'd be great to publish theescape
method https://cs.opensource.google/go/go/+/refs/tags/go1.23.3:src/html/template/template.go;l=96The other huge problem is the unpublished filters and escapers themselves: https://cs.opensource.google/go/go/+/refs/tags/go1.23.3:src/html/template/escape.go;l=64
I couldn't find a way to call them w/o
//go:linkname
. It's possible to create a special template like{{_html_template_attrescaper .}}
and execute it. It does work, but it's very slow. So it would be awesome to expose all the escapers from thefuncMap
variable.These updates shouldn't break the API, but instead other tools can reuse it. It could be similar translators, or even other html template engines, cause escaping is the core part anyway.
The text was updated successfully, but these errors were encountered: