fix(ui): preview-PNG data-URL must use template.URL type#90
Conversation
Go html/template escapes "data:image/png;base64,..." in src= attributes
to "#ZgotmplZ" by default as a security guard against `data:text/html`
XSS vectors. PreviewURI was typed `string` in TemplateDetailData, so
the rendered Template-Detail-Page showed the escape marker instead of
the actual preview PNG.
Wrap the URI value in `template.URL` to mark it as already-safe. The
type is preserved through assignment so both the placeholder SVG path
and the data-URL flow correctly.
Regression test asserts the rendered body contains the data-URL prefix
AND does NOT contain the ZgotmplZ marker. Stub template extended to
render <img src="{{ .PreviewURI }}"> so the test catches the bug.
Closes #87
Refs #22
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #90 +/- ##
=======================================
Coverage 91.09% 91.09%
=======================================
Files 71 71
Lines 3189 3189
Branches 271 271
=======================================
Hits 2905 2905
Misses 216 216
Partials 68 68
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR fixes the template detail preview rendering issue where Go html/template sanitized PNG data URLs to #ZgotmplZ, and adds regression coverage for the behavior.
Changes:
- Changes
TemplateDetailData.PreviewURItotemplate.URL. - Wraps generated preview data URLs and placeholder paths as trusted template URLs.
- Updates frontend test stubs and adds a regression test for unescaped preview data URLs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
frontend/internal/handlers/template.go |
Uses template.URL for preview image sources. |
frontend/internal/handlers/template_test.go |
Adds regression coverage for PNG data URL rendering. |
frontend/internal/handlers/base.go |
Updates test stub template output to include preview image markup. |
| {{define "templates-content"}}<div id="templates-grid">templates</div>{{end}}`, | ||
| "template": `{{define "content"}}<div id="template-detail">template</div>{{end}} | ||
| {{define "template-content"}}<div id="template-detail">template</div>{{end}}`, | ||
| "template": `{{define "content"}}<div id="template-detail">template<img id="preview-img" src="{{ .PreviewURI }}"></div>{{end}} |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where base64-encoded preview images were being incorrectly sanitized by the Go html/template package, resulting in broken image links. By casting the URI to template.URL, the application now explicitly marks these strings as safe for use in HTML attributes, ensuring the preview renders as expected. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses an issue where base64-encoded preview images were being escaped by the Go html/template engine, resulting in broken image links. The fix involves changing the PreviewURI field type from string to template.URL in the TemplateDetailData struct and updating the frontend templates to include the preview image. A regression test has been added to ensure that data URLs are correctly rendered without being escaped. I have no feedback to provide as there were no review comments to evaluate.
Dependabot PR #89 bumped frontend/go.mod to `go 1.25.0`, but the Dockerfile builder image was still `golang:1.24-alpine`, breaking the Docker publish workflow on every PR: go: go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local) Bump the builder image to `golang:1.25-alpine` so it matches the toolchain version declared in go.mod. Refs #22
## <small>0.6.1 (2026-05-19)</small> * fix(ui): preview-PNG data-URL must use template.URL type (#90) ([0f84976](0f84976)), closes [#90](#90) [#87](#87) [#22](#22) [#89](#89) [#22](#22) * docs(api): Phase 7c API-Auth design — 3-scope keys + rate-limit + /admin/api-keys UI (#85) ([8792e84](8792e84)), closes [#85](#85) [#22](#22) [#78](#78) [#85](#85) [#22](#22) [#79](#79) [#22](#22) * docs(api): Phase 7e Template Layout System v2 — semantic schema + aggregation (#86) ([0bab0c0](0bab0c0)), closes [#86](#86) [#22](#22) [#81](#81) [#22](#22) * chore(deps): bump the go-minor-and-patch group (#89) ([d6ba346](d6ba346)), closes [#89](#89) [skip ci]
Closes #87. Template-Detail-Page showed instead of preview-PNG because html/template default-escapes in src= attributes. Fix: wrap PreviewURI as . Plus regression test that catches the bug. Refs #22