mirror of
https://github.com/golang/go
synced 2024-11-21 22:14:41 -07:00
html/template: fix documentation formatting
See http://weekly.golang.org/pkg/html/template/ R=golang-dev, r, rsc CC=golang-dev https://golang.org/cl/5413055
This commit is contained in:
parent
5b9d7825ed
commit
6c864210fc
@ -13,9 +13,9 @@ Introduction
|
|||||||
This package wraps package template so you can use the standard template API
|
This package wraps package template so you can use the standard template API
|
||||||
to parse and execute templates.
|
to parse and execute templates.
|
||||||
|
|
||||||
set, err := new(template.Set).Parse(...)
|
set, err := new(template.Set).Parse(...)
|
||||||
// Error checking elided
|
// Error checking elided
|
||||||
err = set.Execute(out, "Foo", data)
|
err = set.Execute(out, "Foo", data)
|
||||||
|
|
||||||
If successful, set will now be injection-safe. Otherwise, err is an error
|
If successful, set will now be injection-safe. Otherwise, err is an error
|
||||||
defined in the docs for ErrorCode.
|
defined in the docs for ErrorCode.
|
||||||
@ -29,25 +29,25 @@ trusted, while Execute's data parameter is not. More details are provided below.
|
|||||||
|
|
||||||
Example
|
Example
|
||||||
|
|
||||||
import "text/template"
|
import "text/template"
|
||||||
...
|
...
|
||||||
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
|
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
|
||||||
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
|
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
|
||||||
|
|
||||||
produces
|
produces
|
||||||
|
|
||||||
Hello, <script>alert('you have been pwned')</script>!
|
Hello, <script>alert('you have been pwned')</script>!
|
||||||
|
|
||||||
but with contextual autoescaping,
|
but with contextual autoescaping,
|
||||||
|
|
||||||
import "html/template"
|
import "html/template"
|
||||||
...
|
...
|
||||||
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
|
t, err := (&template.Set{}).Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
|
||||||
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
|
err = t.Execute(out, "T", "<script>alert('you have been pwned')</script>")
|
||||||
|
|
||||||
produces safe, escaped HTML output
|
produces safe, escaped HTML output
|
||||||
|
|
||||||
Hello, <script>alert('you have been pwned')</script>!
|
Hello, <script>alert('you have been pwned')</script>!
|
||||||
|
|
||||||
|
|
||||||
Contexts
|
Contexts
|
||||||
@ -80,36 +80,36 @@ Contexts
|
|||||||
Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows
|
Assuming {{.}} is `O'Reilly: How are <i>you</i>?`, the table below shows
|
||||||
how {{.}} appears when used in the context to the left.
|
how {{.}} appears when used in the context to the left.
|
||||||
|
|
||||||
Context {{.}} After
|
Context {{.}} After
|
||||||
{{.}} O'Reilly: How are <i>you</i>?
|
{{.}} O'Reilly: How are <i>you</i>?
|
||||||
<a title='{{.}}'> O'Reilly: How are you?
|
<a title='{{.}}'> O'Reilly: How are you?
|
||||||
<a href="/{{.}}"> O'Reilly: How are %3ci%3eyou%3c/i%3e?
|
<a href="/{{.}}"> O'Reilly: How are %3ci%3eyou%3c/i%3e?
|
||||||
<a href="?q={{.}}"> O'Reilly%3a%20How%20are%3ci%3e...%3f
|
<a href="?q={{.}}"> O'Reilly%3a%20How%20are%3ci%3e...%3f
|
||||||
<a onx='f("{{.}}")'> O\x27Reilly: How are \x3ci\x3eyou...?
|
<a onx='f("{{.}}")'> O\x27Reilly: How are \x3ci\x3eyou...?
|
||||||
<a onx='f({{.}})'> "O\x27Reilly: How are \x3ci\x3eyou...?"
|
<a onx='f({{.}})'> "O\x27Reilly: How are \x3ci\x3eyou...?"
|
||||||
<a onx='pattern = /{{.}}/;'> O\x27Reilly: How are \x3ci\x3eyou...\x3f
|
<a onx='pattern = /{{.}}/;'> O\x27Reilly: How are \x3ci\x3eyou...\x3f
|
||||||
|
|
||||||
If used in an unsafe context, then the value might be filtered out:
|
If used in an unsafe context, then the value might be filtered out:
|
||||||
|
|
||||||
Context {{.}} After
|
Context {{.}} After
|
||||||
<a href="{{.}}"> #ZgotmplZ
|
<a href="{{.}}"> #ZgotmplZ
|
||||||
|
|
||||||
since "O'Reilly:" is not an allowed protocol like "http:".
|
since "O'Reilly:" is not an allowed protocol like "http:".
|
||||||
|
|
||||||
|
|
||||||
If {{.}} is the innocuous word, `left`, then it can appear more widely,
|
If {{.}} is the innocuous word, `left`, then it can appear more widely,
|
||||||
|
|
||||||
Context {{.}} After
|
Context {{.}} After
|
||||||
{{.}} left
|
{{.}} left
|
||||||
<a title='{{.}}'> left
|
<a title='{{.}}'> left
|
||||||
<a href='{{.}}'> left
|
<a href='{{.}}'> left
|
||||||
<a href='/{{.}}'> left
|
<a href='/{{.}}'> left
|
||||||
<a href='?dir={{.}}'> left
|
<a href='?dir={{.}}'> left
|
||||||
<a style="border-{{.}}: 4px"> left
|
<a style="border-{{.}}: 4px"> left
|
||||||
<a style="align: {{.}}"> left
|
<a style="align: {{.}}"> left
|
||||||
<a style="background: '{{.}}'> left
|
<a style="background: '{{.}}'> left
|
||||||
<a style="background: url('{{.}}')> left
|
<a style="background: url('{{.}}')> left
|
||||||
<style>p.{{.}} {color:red}</style> left
|
<style>p.{{.}} {color:red}</style> left
|
||||||
|
|
||||||
Non-string values can be used in JavaScript contexts.
|
Non-string values can be used in JavaScript contexts.
|
||||||
If {{.}} is
|
If {{.}} is
|
||||||
|
Loading…
Reference in New Issue
Block a user