diff --git a/src/pkg/html/template/doc.go b/src/pkg/html/template/doc.go
index 570567e876..fc0e382644 100644
--- a/src/pkg/html/template/doc.go
+++ b/src/pkg/html/template/doc.go
@@ -13,9 +13,9 @@ Introduction
This package wraps package template so you can use the standard template API
to parse and execute templates.
- set, err := new(template.Set).Parse(...)
- // Error checking elided
- err = set.Execute(out, "Foo", data)
+ set, err := new(template.Set).Parse(...)
+ // Error checking elided
+ err = set.Execute(out, "Foo", data)
If successful, set will now be injection-safe. Otherwise, err is an error
defined in the docs for ErrorCode.
@@ -29,25 +29,25 @@ trusted, while Execute's data parameter is not. More details are provided below.
Example
- import "text/template"
- ...
- t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
- err = t.Execute(out, "T", "")
+ import "text/template"
+ ...
+ t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
+ err = t.Execute(out, "T", "")
produces
- Hello, !
+ Hello, !
but with contextual autoescaping,
- import "html/template"
- ...
- t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
- err = t.Execute(out, "T", "")
+ import "html/template"
+ ...
+ t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
+ err = t.Execute(out, "T", "")
produces safe, escaped HTML output
- Hello, <script>alert('you have been pwned')</script>!
+ Hello, <script>alert('you have been pwned')</script>!
Contexts
@@ -80,36 +80,36 @@ Contexts
Assuming {{.}} is `O'Reilly: How are you?`, the table below shows
how {{.}} appears when used in the context to the left.
-Context {{.}} After
-{{.}} O'Reilly: How are <i>you</i>?
- O'Reilly: How are you?
- O'Reilly: How are %3ci%3eyou%3c/i%3e?
- O'Reilly%3a%20How%20are%3ci%3e...%3f
- O\x27Reilly: How are \x3ci\x3eyou...?
- "O\x27Reilly: How are \x3ci\x3eyou...?"
- O\x27Reilly: How are \x3ci\x3eyou...\x3f
+ Context {{.}} After
+ {{.}} O'Reilly: How are <i>you</i>?
+ O'Reilly: How are you?
+ O'Reilly: How are %3ci%3eyou%3c/i%3e?
+ O'Reilly%3a%20How%20are%3ci%3e...%3f
+ O\x27Reilly: How are \x3ci\x3eyou...?
+ "O\x27Reilly: How are \x3ci\x3eyou...?"
+ O\x27Reilly: How are \x3ci\x3eyou...\x3f
If used in an unsafe context, then the value might be filtered out:
-Context {{.}} After
- #ZgotmplZ
+ Context {{.}} After
+ #ZgotmplZ
since "O'Reilly:" is not an allowed protocol like "http:".
If {{.}} is the innocuous word, `left`, then it can appear more widely,
-Context {{.}} After
-{{.}} left
- left
- left
- left
- left
- left
- left
- left
- left
+ Context {{.}} After
+ {{.}} left
+ left
+ left
+ left
+ left
+ left
+ left
+ left
+ left
Non-string values can be used in JavaScript contexts.
If {{.}} is