Data

Tools

Indexes

Applications

Experiments

Packages

An open API service providing package, version and dependency metadata of many open source software ecosystems and registries.

proxy.golang.org : github.com/pschlump/extendhtml

Package template (github.com/pschlump/extendhtml) implements data-driven templates for generating HTML output safe against code injection. It provides the same interface as text/template and should be used instead of text/template whenever the output is HTML. The documentation here focuses on the security features of the package. For information about how to program the templates themselves, see the documentation for text/template. This package wraps text/template so you can share its template API to parse and execute HTML templates safely. If successful, tmpl will now be injection-safe. Otherwise, err is an error defined in the docs for ErrorCode. HTML templates treat data values as plain text which should be encoded so they can be safely embedded in an HTML document. The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts. The security model used by this package assumes that template authors are trusted, while Execute's data parameter is not. More details are provided below. Example produces but the contextual autoescaping in github.com/pschlump/extendhtml produces safe, escaped HTML output This package understands HTML, CSS, JavaScript, and URIs. It adds sanitizing functions to each simple action pipeline, so given the excerpt At parse time each {{.}} is overwritten to add escaping functions as necessary. In this case it becomes where urlescaper, attrescaper, and htmlescaper are aliases for internal escaping functions. For these internal escaping functions, if an action pipeline evaluates to a nil interface value, it is treated as though it were an empty string. Attributes with a namespace are treated as if they had no namespace. Given the excerpt At parse time the attribute will be treated as if it were just "href". So at parse time the template becomes: Similarly to attributes with namespaces, attributes with a "data-" prefix are treated as if they had no "data-" prefix. So given At parse time this becomes If an attribute has both a namespace and a "data-" prefix, only the namespace will be removed when determining the context. For example This is handled as if "my:data-href" was just "data-href" and not "href" as it would be if the "data-" prefix were to be ignored too. Thus at parse time this becomes just As a special case, attributes with the namespace "xmlns" are always treated as containing URLs. Given the excerpts At parse time they become: See the documentation of ErrorCode for details. The rest of this package comment may be skipped on first reading; it includes details necessary to understand escaping contexts and error messages. Most users will not need to understand these details. Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows how {{.}} appears when used in the context to the left. If used in an unsafe context, then the value might be filtered out: since "O'Reilly:" is not an allowed protocol like "http:". If {{.}} is the innocuous word, `left`, then it can appear more widely, Non-string values can be used in JavaScript contexts. If {{.}} is in the escaped template then the template output is See package json to understand how non-string content is marshaled for embedding in JavaScript contexts. By default, this package assumes that all pipelines produce a plain text string. It adds escaping pipeline stages necessary to correctly and safely embed that plain text string in the appropriate context. When a data value is not plain text, you can make sure it is not over-escaped by marking it with its type. Types HTML, JS, URL, and others from content.go can carry safe content that is exempted from escaping. The template can be invoked with to produce instead of the that would have been produced if {{.}} was a regular string. https://rawgit.com/mikesamuel/sanitized-jquery-templates/trunk/safetemplate.html#problem_definition defines "safe" as used by this package. This package assumes that template authors are trusted, that Execute's data parameter is not, and seeks to preserve the properties below in the face of untrusted data: Structure Preservation Property: "... when a template author writes an HTML tag in a safe templating language, the browser will interpret the corresponding portion of the output as a tag regardless of the values of untrusted data, and similarly for other structures such as attribute boundaries and JS and CSS string boundaries." Code Effect Property: "... only code specified by the template author should run as a result of injecting the template output into a page and all code specified by the template author should run as a result of the same." Least Surprise Property: "A developer (or code reviewer) familiar with HTML, CSS, and JavaScript, who knows that contextual autoescaping happens should be able to look at a {{.}} and correctly infer what sanitization happens." Previously, ECMAScript 6 template literal were disabled by default, and could be enabled with the GODEBUG=jstmpllitinterp=1 environment variable. Template literals are now supported by default, and setting jstmpllitinterp has no effect.

Registry - Source - Documentation - JSON
purl: pkg:golang/github.com/pschlump/extendhtml
License: BSD-3-Clause
Latest release: 7 months ago
First release: 7 months ago
Namespace: github.com/pschlump
Last synced: about 16 hours ago

    Loading...
    Readme
    Loading...