I have a string variable $v with the value a and the template {{ $v }} outputs a
This doesn’t happen if a is directly in the template as html and not in a variable, so I guess there’s some kind of escaping going on when evaluating the variables.
Thanks. I tried it but it doesn’t work when inside a href attribute: <a href='{{ $v | safeHTML }}'>{{ $v | safeHTML }}</a> outputs <a href='&#97;'>a</a>
Also tried with safeHTMLAttr with the same result.
I have an obfuscated email address in a param and it always ends escaped no matter what I try. The only solution I found is hardcoding it in the template.
It seems like the template is post processing its dynamic content.
So it would help to update your minimal example to use a fake email or something that obfuscates to a string that doesn’t work with above suggested solutions.
The desired output is in the “hardcoded” div (the values are the same as the declared). I can get it to work for the address, but the href is being treated differently and always gets escaped. I even tried using the $href as the content of the <a> element instead of the href attribute and the output is different:
I read a bit about go html/template package and it escaping the content contextually, trusting the template and not trusting the dynamic content. About href, taken from template package - html/template - Go Packages :
This package understands HTML, CSS, JavaScript, and URIs. It adds sanitizing functions to each simple action pipeline, so given the excerpt
<a href="/search?q={{.}}">{{.}}</a>
At parse time each {{.}} is overwritten to add escaping functions as necessary. In this case it becomes
<a href="/search?q={{. | urlescaper | attrescaper}}">{{. | htmlescaper}}</a>
where urlescaper, attrescaper, and htmlescaper are aliases for internal escaping functions.
<p>Safe: <a ZgotmplZ>"><script>alert('hello')</script></a></p>
<p>Unsafe use of safe*: <a href="\"><script>alert('hello')</script>">"><script>alert('hello')</script></a></p>