Document template content escaping and security rules #3539
Comments
|
This is not a bug. It's how Go templates work. It can also be one of the most confusing parts of using Go templates IMO. Namely, how do we properly output content to avoid the Go template engine from escaping it? There are cases like this one where it doesn't act the way you think it should. We need to provide some great documentation and guidance for these rules. More examples of confusion:
/cc @rdwatters |
moorereason
changed the title
|
I saw a very large number of these questions, but somehow didn't realise how to fix this. After reading <time class="post-date" {{ printf "datetime=%s" (.Date.Format "2006-01-02T15:04:05-0700") | safeHTMLAttr }}>...works great! It would definitely help if this were documented somewhere more clearly and made easy to find. I only have a preliminary understanding now, but I would love to contribute if it would help. Maybe another section in the Go Template Primer or a new sub division in the Templates section? I'm editing my initial "bug" report to reflect that this is not a bug. |
|
Soon we will switch to a overhauled version of the docs. They actual docs also moved into their own repo. This repo only contains the actual source code. Hence this issue doesn't belong to this repo anymore. For further discussions, comments etc. please refer to rdwatters/hugo-docs-concept#125. |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
The original issue is below, but it was not actually a bug, rather a misunderstanding of the way autoescaping (and preventing it) works in Go templates. The issue has been renamed to reflect this.
I was trying to use the following code to insert a timestamp into a
<time>tag:but this outputs:
note the escaped
+as+. Shouldn'tsafeHTMLAttrallow using a raw+? (Or-for that matter.)The text was updated successfully, but these errors were encountered: