How do I unescape html?
I'm passing a css file into html like this
<style>{{.file}}</style>
I get this
<style>ZgotmplZ</style>
I've tried wrapping the field with template.HTML(data), didn't work.
How do I unescape html?
I'm passing a css file into html like this
<style>{{.file}}</style>
I get this
<style>ZgotmplZ</style>
I've tried wrapping the field with template.HTML(data), didn't work.
The Go HTML template package properly excapes CSS. Quoting from the documentation of the template
package:
The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.
"ZgotmplZ"
is a special value, it is used as a replacement if the value you're trying to include is invalid or unsafe in the context.
So the problem is the CSS value you're trying to include, it is not safe. Try something simple first and see if it works, like:
body {background-color: #000}
Found the discussion of "ZgotmplZ"
in the documentation (at type ErrorCode
), quoting it:
"ZgotmplZ"
explanation:Example Template:
<img src="{{.X}}">
where {{.X}} evaluates to `javascript:...`
Discussion:
"ZgotmplZ" is a special value that indicates that unsafe content reached a
CSS or URL context at runtime. The output of the example will be
<img src="#ZgotmplZ">
If the data comes from a trusted source, use content types to exempt it
from filtering: URL(`javascript:...`).
Since the code you try to insert is in the context of CSS code and not HTML, you can't/shouldn't use template.HTML(data)
.
There is a predefined type CSS
for safe inclusion of CSS code coming from trusted source, e.g. CSS code you specify and is not coming from an HTML form filled by the user. Example:
var safeCss = template.CSS(`body {background-image: url("paper.gif");}`)
And pass the safeCss
value to your template parameter.
© 2022 - 2024 — McMap. All rights reserved.
template.CSS
. It's hard to get straightforward solutions for this. – Elaineelam