-
-
Notifications
You must be signed in to change notification settings - Fork 7.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document template content escaping and security rules #3539
Comments
This is not a bug. It's how Go templates work. It can also be one of the most confusing parts of using Go templates IMO. Namely, how do we properly output content to avoid the Go template engine from escaping it? There are cases like this one where it doesn't act the way you think it should. We need to provide some great documentation and guidance for these rules. More examples of confusion:
/cc @rdwatters |
I saw a very large number of these questions, but somehow didn't realise how to fix this. After reading <time class="post-date" {{ printf "datetime=%s" (.Date.Format "2006-01-02T15:04:05-0700") | safeHTMLAttr }}>... works great! It would definitely help if this were documented somewhere more clearly and made easy to find. I only have a preliminary understanding now, but I would love to contribute if it would help. Maybe another section in the Go Template Primer or a new sub division in the Templates section? I'm editing my initial "bug" report to reflect that this is not a bug. |
Soon we will switch to a overhauled version of the docs. They actual docs also moved into their own repo. This repo only contains the actual source code. Hence this issue doesn't belong to this repo anymore. For further discussions, comments etc. please refer to rdwatters/hugo-docs-concept#125. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
The original issue is below, but it was not actually a bug, rather a misunderstanding of the way autoescaping (and preventing it) works in Go templates. The issue has been renamed to reflect this.
I was trying to use the following code to insert a timestamp into a
<time>
tag:but this outputs:
note the escaped
+
as+
. Shouldn'tsafeHTMLAttr
allow using a raw+
? (Or-
for that matter.)The text was updated successfully, but these errors were encountered: