Template engine escaping things outside of any action (e.g. "<?")

I had a look at Hugo’s embedded RSS template and noticed that the <?xml ?> tag needs to be run through the safeHTML function in order to avoid it being escaped by the template engine.

This puzzled me as the official documentation for Go’s html/template package says that template authors are trusted. Therefore, I would expect that the engine leaves everything that sits outside of any {{ }} action unchanged. This seems to be wrong. There is a github issue about this, and while it is technically correct that xml files are an unsupported use case, no reasons were given for this behavior.

This worries me because I might use Hugo’s executeAsTemplate for various assets, and now I’m afraid that doing so might have weird side effects.

Does anybody know exactly what it is the template engine is doing with the “literal” (=outside of any action) part of a template?

2 comments from me:

  • ExecuteAsTemplate uses Go’s text/template package which does no escaping.
  • Any output format that has plainText=true (see Custom Output Formats | Hugo) will use text/template
  • You can redefine any output format to use the more lenient text/template package.

This puzzled me as the official documentation for Go’s html/template package says that template authors are trusted.

What I think they mean is

  • The templates are trusted, but the data passed into the template is not (always) trusted
1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.