英文:
Why am I seeing ZgotmplZ in my Go HTML template output?
问题
当我调用一个Go模板函数来输出HTML时,它显示为ZgotmplZ
。
示例代码:
http://play.golang.org/p/tfuJa_pFkm
package main
import (
"html/template"
"os"
)
func main() {
funcMap := template.FuncMap{
"printSelected": func(s string) string {
if s == "test" {
return `selected="selected"`
}
return ""
},
"safe": func(s string) template.HTML {
return template.HTML(s)
},
}
template.Must(template.New("Template").Funcs(funcMap).Parse(`
<option {{ printSelected "test" }} {{ printSelected "test" | safe }}>test</option>
`)).Execute(os.Stdout, nil)
}
输出:
<option ZgotmplZ ZgotmplZ>test</option>
英文:
When I'm calling a Go template function to output HTML, it displays ZgotmplZ
.
Sample code:
http://play.golang.org/p/tfuJa_pFkm
package main
import (
"html/template"
"os"
)
func main() {
funcMap := template.FuncMap{
"printSelected": func(s string) string {
if s == "test" {
return `selected="selected"`
}
return ""
},
"safe": func(s string) template.HTML {
return template.HTML(s)
},
}
template.Must(template.New("Template").Funcs(funcMap).Parse(`
<option {{ printSelected "test" }} {{ printSelected "test" | safe }} >test</option>
`)).Execute(os.Stdout, nil)
}
Output:
<option ZgotmplZ ZgotmplZ >test</option>
答案1
得分: 38
"ZgotmplZ"是一个特殊的值,表示在运行时,不安全的内容达到了CSS或URL上下文。示例的输出将是:
<img src="#ZgotmplZ">
您可以向模板的funcMap中添加一个safe和attr函数:
package main
import (
"html/template"
"os"
)
func main() {
funcMap := template.FuncMap{
"attr":func(s string) template.HTMLAttr{
return template.HTMLAttr(s)
},
"safe": func(s string) template.HTML {
return template.HTML(s)
},
}
template.Must(template.New("Template").Funcs(funcMap).Parse(`
<option {{ .attr |attr }} >test</option>
{{.html|safe}}
`)).Execute(os.Stdout, map[string]string{"attr":`selected="selected"`,"html":`<option selected="selected">option</option>`})
}
输出将如下所示:
<option selected="selected" >test</option>
<option selected="selected">option</option>
您可能还想定义一些其他函数,可以将字符串转换为template.CSS、template.JS、template.JSStr、template.URL等。
英文:
"ZgotmplZ" is a special value that indicates that unsafe content reached a
CSS or URL context at runtime. The output of the example will be:
<img src="#ZgotmplZ">
You can add a safe and attr function to the template funcMap:
package main
import (
"html/template"
"os"
)
func main() {
funcMap := template.FuncMap{
"attr":func(s string) template.HTMLAttr{
return template.HTMLAttr(s)
},
"safe": func(s string) template.HTML {
return template.HTML(s)
},
}
template.Must(template.New("Template").Funcs(funcMap).Parse(`
<option {{ .attr |attr }} >test</option>
{{.html|safe}}
`)).Execute(os.Stdout, map[string]string{"attr":`selected="selected"`,"html":`<option selected="selected">option</option>`})
}
The output will look like:
<option selected="selected" >test</option>
<option selected="selected">option</option>
You may want to define some other functions which can convert string to template.CSS, template.JS, template.JSStr, template.URL etc.
答案2
得分: 9
我在<img src="{{myfunction}}">
中遇到了类似的问题,其中myfunction返回编码后的图像。
最后,当函数返回template.URL(mystring)
而不是字符串时,我解决了这个问题。
英文:
I had similar problem with <img src="{{myfunction}}">
where myfunction return encoded image.
Finally I solved it when instead of string function return template.URL(mystring)
.
答案3
得分: 4
你正在尝试在模板/HTML认为不安全的位置输出HTML(例如,在HTML元素内部,像这样:
<option {{ printSelected }}>
我找不到任何方法来说服它是安全的(包括返回template.HTML而不是字符串);我找到的唯一替代方法是重写模板,在这个例子中使用布尔输出:
<option {{ if printSelected }}selected{{ end }}>
英文:
You are trying to output HTML in a place where template/html thinks is unsafe (for example, inside an HTML element, like this:
<option {{ printSelected }}>
I cannot find any way to convince it it is safe (including returning template.HTML instead of string); the only alternative I have found is to rewrite the template, in this example use a bool output instead:
<option {{ if printSelected }}selected{{ end }}>
答案4
得分: 4
<div>test div</div>
<option selected="selected" style="font-size: 15px">test</option>
<script>console.log("hello world")</script>
<img src="https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg">
英文:
package main
import (
"html/template"
"os"
)
type T struct {
HTML template.HTML
ATTR template.HTMLAttr
URL template.URL
JS template.JS
CSS template.CSS
}
func main() {
data := T{
HTML: `<div>test div</div>`,
ATTR: `selected="selected"`,
URL: `https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg`,
CSS: `font-size: 15px`,
JS: `console.log("hello world")`,
}
template.Must(template.New("Template").Parse(`
{{.HTML}}
<option {{.ATTR}} style="{{.CSS}}">test</option>
<script>{{.JS}}</script>
<img src="{{.URL}}">
`)).Execute(os.Stdout, data)
}
output
<div>test div</div>
<option selected="selected" style="font-size: 15px">test</option>
<script>console.log("hello world")</script>
<img src="https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg">
答案5
得分: 3
最简单的方法:
import "html/template"
yourhref = template.URL(yourhref)
英文:
easiest way:
import "html/template"
yourhref = template.URL(yourhref)
答案6
得分: 1
你应该将字符串包装在HTMLAttr
中,它是为在尖括号之间注入的文本而设计的。根据文档:
https://golang.org/pkg/html/template/#HTMLAttr
> HTMLAttr封装了来自可信源的HTML属性,例如, dir="ltr"
。
>
> 使用此类型存在安全风险:封装的内容应来自可信源,因为它将原样包含在模板输出中。
>
>type HTMLAttr string
英文:
You should wrap the string in an HTMLAttr
, which was designed for text that gets injected in between angle brackets. Per the documentation:
https://golang.org/pkg/html/template/#HTMLAttr
> HTMLAttr encapsulates an HTML attribute from a trusted source, for example,  dir="ltr"
.
>
> Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
>
>type HTMLAttr string
答案7
得分: 0
我试图将frontmatter中的图像插入到我的模板中,但一直出现相同的错误。我通过以下方式解决了这个问题:
{{ if isset .Params "image" }}
{{ $myVar := print .Params.image }}
<img src="{{ $myVar }}">
{{ end }}
请注意,我首先将.Params.image
保存为一个变量,然后将其插入到我的src
中。
英文:
I was trying to insert an image from frontmatter into my template but kept getting the same error. I solved it thus:
{{ if isset .Params "image" }}
{{ $myVar := print .Params.image }}
<img src="{{ $myVar }}">
{{ end }}
Notice that I first save the .Params.image
as a variable, and then insert it as my src
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论