Unescape css input in HTML
Asked Answered
S

1

2

How do I unescape html?

I'm passing a css file into html like this

<style>{{.file}}</style>

I get this

<style>ZgotmplZ</style>

I've tried wrapping the field with template.HTML(data), didn't work.

Surface answered 12/1, 2015 at 16:45 Comment(0)
U
4

The Go HTML template package properly excapes CSS. Quoting from the documentation of the template package:

The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.

"ZgotmplZ" is a special value, it is used as a replacement if the value you're trying to include is invalid or unsafe in the context.

So the problem is the CSS value you're trying to include, it is not safe. Try something simple first and see if it works, like:

body {background-color: #000}

Found the discussion of "ZgotmplZ" in the documentation (at type ErrorCode), quoting it:

"ZgotmplZ" explanation:

Example Template:

<img src="{{.X}}">
where {{.X}} evaluates to `javascript:...`

Discussion:

"ZgotmplZ" is a special value that indicates that unsafe content reached a
CSS or URL context at runtime. The output of the example will be
  <img src="#ZgotmplZ">
If the data comes from a trusted source, use content types to exempt it
from filtering: URL(`javascript:...`).

Solution

Since the code you try to insert is in the context of CSS code and not HTML, you can't/shouldn't use template.HTML(data).

There is a predefined type CSS for safe inclusion of CSS code coming from trusted source, e.g. CSS code you specify and is not coming from an HTML form filled by the user. Example:

var safeCss = template.CSS(`body {background-image: url("paper.gif");}`)

And pass the safeCss value to your template parameter.

Us answered 12/1, 2015 at 16:55 Comment(1)
Thank you for showing us template.CSS. It's hard to get straightforward solutions for this.Elaineelam

© 2022 - 2024 — McMap. All rights reserved.