1
0
mirror of https://github.com/golang/go synced 2024-11-21 22:14:41 -07:00

html/template: fix documentation formatting

See http://weekly.golang.org/pkg/html/template/

R=golang-dev, r, rsc
CC=golang-dev
https://golang.org/cl/5413055
This commit is contained in:
Andrew Gerrand 2011-11-19 10:54:44 +11:00
parent 5b9d7825ed
commit 6c864210fc

View File

@ -13,9 +13,9 @@ Introduction
This package wraps package template so you can use the standard template API This package wraps package template so you can use the standard template API
to parse and execute templates. to parse and execute templates.
set, err := new(template.Set).Parse(...) set, err := new(template.Set).Parse(...)
// Error checking elided // Error checking elided
err = set.Execute(out, "Foo", data) err = set.Execute(out, "Foo", data)
If successful, set will now be injection-safe. Otherwise, err is an error If successful, set will now be injection-safe. Otherwise, err is an error
defined in the docs for ErrorCode. defined in the docs for ErrorCode.
@ -29,25 +29,25 @@ trusted, while Execute's data parameter is not. More details are provided below.
Example Example
import "text/template" import "text/template"
... ...
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>") err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
produces produces
Hello, <script>alert('you have been pwned')</script>! Hello, <script>alert('you have been pwned')</script>!
but with contextual autoescaping, but with contextual autoescaping,
import "html/template" import "html/template"
... ...
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>") err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
produces safe, escaped HTML output produces safe, escaped HTML output
Hello, &lt;script&gt;alert('you have been pwned')&lt;/script&gt;! Hello, &lt;script&gt;alert('you have been pwned')&lt;/script&gt;!
Contexts Contexts
@ -80,36 +80,36 @@ Contexts
Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows
how {{.}} appears when used in the context to the left. how {{.}} appears when used in the context to the left.
Context {{.}} After Context {{.}} After
{{.}} O'Reilly: How are &lt;i&gt;you&lt;/i&gt;? {{.}} O'Reilly: How are &lt;i&gt;you&lt;/i&gt;?
<a title='{{.}}'> O&#39;Reilly: How are you? <a title='{{.}}'> O&#39;Reilly: How are you?
<a href="/{{.}}"> O&#39;Reilly: How are %3ci%3eyou%3c/i%3e? <a href="/{{.}}"> O&#39;Reilly: How are %3ci%3eyou%3c/i%3e?
<a href="?q={{.}}"> O&#39;Reilly%3a%20How%20are%3ci%3e...%3f <a href="?q={{.}}"> O&#39;Reilly%3a%20How%20are%3ci%3e...%3f
<a onx='f("{{.}}")'> O\x27Reilly: How are \x3ci\x3eyou...? <a onx='f("{{.}}")'> O\x27Reilly: How are \x3ci\x3eyou...?
<a onx='f({{.}})'> "O\x27Reilly: How are \x3ci\x3eyou...?" <a onx='f({{.}})'> "O\x27Reilly: How are \x3ci\x3eyou...?"
<a onx='pattern = /{{.}}/;'> O\x27Reilly: How are \x3ci\x3eyou...\x3f <a onx='pattern = /{{.}}/;'> O\x27Reilly: How are \x3ci\x3eyou...\x3f
If used in an unsafe context, then the value might be filtered out: If used in an unsafe context, then the value might be filtered out:
Context {{.}} After Context {{.}} After
<a href="{{.}}"> #ZgotmplZ <a href="{{.}}"> #ZgotmplZ
since "O'Reilly:" is not an allowed protocol like "http:". since "O'Reilly:" is not an allowed protocol like "http:".
If {{.}} is the innocuous word, `left`, then it can appear more widely, If {{.}} is the innocuous word, `left`, then it can appear more widely,
Context {{.}} After Context {{.}} After
{{.}} left {{.}} left
<a title='{{.}}'> left <a title='{{.}}'> left
<a href='{{.}}'> left <a href='{{.}}'> left
<a href='/{{.}}'> left <a href='/{{.}}'> left
<a href='?dir={{.}}'> left <a href='?dir={{.}}'> left
<a style="border-{{.}}: 4px"> left <a style="border-{{.}}: 4px"> left
<a style="align: {{.}}"> left <a style="align: {{.}}"> left
<a style="background: '{{.}}'> left <a style="background: '{{.}}'> left
<a style="background: url('{{.}}')> left <a style="background: url('{{.}}')> left
<style>p.{{.}} {color:red}</style> left <style>p.{{.}} {color:red}</style> left
Non-string values can be used in JavaScript contexts. Non-string values can be used in JavaScript contexts.
If {{.}} is If {{.}} is