On Fri, Mar 13, 2026 at 4:45 PM Touring Tim <[email protected]> wrote: > > Unfortunately that would change lots of other things. There are IDs > generated as well within the header tags for navigation from a table of > contents > > I agree I can build a workaround in many ways but I shouldn't have to. The > whole template is html and if i don't have that variable there, just H1 > hardcoded then it works. I insert a simple variable and it breaks and yet > the variable is html. > > There needs to be something in GO that should show this. If they want to > start second guessing it the final output is safe or not then parser the > final output. Don't get hung up on a variable.
The html/template package can only generate safe output if it can recognize the tags. Otherwise it can't know what sort of escaping to do. For example, the escaping needs to change if it sees a <script> tag. Your program is providing the tag dynamically. html/template does not support that kind of dynamic determination of escape context. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcWQK0KkTyUnSA%3D4SfPfB-rrfjLruCpDU%2BJnHTsLsNjVww%40mail.gmail.com.
