I noticed a case where HTML escaping is applied inconsistently that I don’t understand. I’m curious if it’s a bug or if someone can shed some light on the observed behavior.
I have an layout template for an Atom feed. Removing all the irrelevant bits, it looks like this
Notice the initial < is escaped but the final > is not. Why is that? I know I can work around it with printf, I’m just curious about the intended behavior.
Relatedly, why do we need the printf workaround in some cases but not others? Consider this inside of an XML layout template:
Each output format (e.g., html, rss) has a boolean parameter named isPlainText.
When this is true, Hugo uses Go’s text/template package to generate textual output.
When this is false, Hugo uses Go’s html/template package to generate HTML output made safe against code injection via contextual autoescaping.
The isPlainText parameter is false for predefined output formats such as html and rss. It is also false for custom output formats unless explicitly set to true in your site configuration.
So, for your atom output format, unless you have explicitly set isPlainText to true, Go’s html/template package performs contextual autoescaping.
OK, that’s great, but why is this list.atom template:
Change your site configuration, explicitly setting isPlainText to true for the atom output format. This causes Hugo to use Go’s text/template package where nothing is contextually escaped. This isn’t a great idea unless you control all of the site’s content and data.
Thanks for the link. Looks like the answer to the question is that Go’s html/template is strictly for HTML5 and doesn’t fully support XML, SGML, or older HTML. Anything it sees that it doesn’t recognize as HTML5 gets escaped. <? ?> and <![CDATA[ ]]> in this case.
The reason only the open brackets are escaped is because technically that’s all that’s necessary for it to parse correctly. Apparently the closing bracket is ignored if it wasn’t preceded by an opening bracket.