白名单标签免于使用Go的html/template进行转义

huangapple go评论104阅读模式
英文:

Whitelist tags exempt from escaping using Go's html/template

问题

将一个[]byte传递到模板中,作为一个论坛式Web应用程序中消息帖子的正文。在模板中,调用一个方法将其转换为字符串,并在此过程中,将所有换行符替换为换行符:

<p>{{.BodyString}}</p>

...

func (p *Post) BodyString() string {
    nl := regexp.MustCompile(`\n`)
    return nl.ReplaceAllString(string(p.Body), `<br>`)
}

最终结果如下:

paragraphs <br> <br>in <br> <br>this <br> <br>post

我不想使用HTML(p.Body)将整个帖子传递进去,因为它代表来自潜在不可信源的第三方数据。是否有一种方法可以使用原始的Go1模板包仅允许某些标签进行格式化?

英文:

Pass a []byte into a template as the body of a message post on a forum-style web app. In the template, call a method to convert to string and along the way, switch out all newlines for line breaks:

<p>{{.BodyString}}</p>

...

func (p *Post) BodyString() string {
    nl := regexp.MustCompile(`\n`)
    return nl.ReplaceAllString(string(p.Body), `<br>`)
}

What you'll end up with:

paragraphs <br> <br>in <br> <br>this <br> <br>post

I don't want to pass the entire post in with HTML(p.Body), as it represents third party data from potentially untrustworthy sources. Is there a way to whitelist only some tags for formatting purposes using the vanilla Go1 template package?

答案1

得分: 2

我确实认为你想解析HTML。exp/html中的HTML解析器被认为是不完整的,因此在Go 1中被移除了,尽管exp树仍然在Go源代码树中,并且可以通过每周标签进行访问,例如。我不知道具体缺少什么。我曾经用它来完成一个简单的任务,满足了我的需求。

当然,还要检查仪表板并查看相关的SO帖子,https://stackoverflow.com/questions/9986329/any-smart-method-to-get-exp-html-back-after-go1/,主要是为了推荐http://code.google.com/p/go-html-transform/。

英文:

I do think you want to parse the HTML. The HTML parser in exp/html was deemed incomplete and so removed from Go 1, although the exp tree is still in the Go source tree and can be accessed by weekly tag, for example. I don't know exactly what is incomplete. I used it for a simple task once and it met my needs.

Also of course, check the dashboard and see related SO post, https://stackoverflow.com/questions/9986329/any-smart-method-to-get-exp-html-back-after-go1/, mostly for the recomendation of http://code.google.com/p/go-html-transform/

答案2

得分: 1

我很抱歉,模板包无法提供太多帮助。如果您想要删除特定的(黑名单)标签(或者是这些标签包围的子树),或者只允许通过特定的标签(白名单),那么我认为除了解析和重写HTML AST之外,可能没有更好的解决方案。也就是说,我们可以在某些地方看到一些疯狂的正则表达式试图做同样的事情,但我不认为那是一个“好的解决方案”,而且我怀疑它们在符合规范的HTML的一般情况下是否能够成为一个“正确”的解决方案,包括一些合法的不规则性,因为它可能被排除在正则语法类别问题之外。

英文:

I'm affraid the template package cannot help with this too much. If you want to remove specific (black-listed) tags (resp. the sub-tree enclosed by such tags) or allow to pass only specific tags (white-listed) then I think probably nothing less than parsing and rewriting the html AST can be a good solution. That said, one can see here and there some crazy REs trying to do the same, but I don't consider that a "good solution" and I doubt they can be a "correct" solution in the general case of a specs conforming HTML, including several legal irregularities, as it is probably ruled out of a regular grammar category problem.

huangapple
  • 本文由 发表于 2012年4月5日 16:38:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/10025292.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定