Comments (2)
May i ask what you did to prevent this issue?
A temporary workaround would be to use @templ.Raw
inside an own <span>
:
package main
templ hello(name string, entity string) {
<div>{ name } 45<span>@templ.Raw(entity)</span> 45°F </div>
}
If you put the @templ.Raw
after some other text in a html element then it will be escaped.
from templ.
It's expected that text will be automatically escaped using HTML encoding as per https://templ.guide/syntax-and-usage/expressions#escaping
If you want to render a degree symbol, use http.Handle("/", templ.Handler(hello("Temperature", "°")))
not http.Handle("/", templ.Handler(hello("Temperature", "°")))
If templ didn't do that, then templ would be wide open to cross-site scripting attacks from user input.
You can bypass string escaping using
Lines 753 to 765 in 753ba39
This talk outlines security considerations for API design of applications that render HTML: https://www.youtube.com/watch?v=ccfEu-Jj0as
from templ.
Related Issues (20)
- generator: enable script components on alpine.js attributes HOT 8
- "Starting LSP: templ lsp" on VSCode HOT 3
- enhancement: allow gradient functions through the CSS sanitizer. HOT 1
- Select option selected tag HOT 2
- patch: `templ generate` hangs if go.mod is not found
- Rendering bug related to _templ.txt HOT 6
- How can I add json script? HOT 2
- 0.2.598 parser is slower than 0.2.543 on large files HOT 6
- Panic using fmt on filesystem path that does not exist
- scripts: Adding Attributes to Script Tags Generated from Script Templates HOT 5
- Support declarative Shadow DOM HOT 1
- Allow components to edit context key-value pairs HOT 5
- zTemplUnsafeCSSPropertyValue - Unable to use dynamic background-image css component HOT 2
- event listeners for scripts HOT 2
- Proxy server hot-reloading does not play nice with htmx HOT 4
- templ generate custom name pattern HOT 3
- generator: Allow more than just strings in templ expressions HOT 6
- Spread under attribute HOT 7
- Spread JS event map HOT 2
- Rendering JSON HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from templ.