英文:
What are context aware variables?
问题
我听说有人谈论Go语言在处理HTML时有一个很好的实现叫做“上下文感知变量”。它们是什么,以及它们是如何工作的?
我猜想,由于与安全相关,它可能是一种知道自己是否已经过滤的变量。它是否类似于一个名为unsanitizedString的类,在转换为普通字符串时自动过滤其内容?
英文:
I heard someone talking about how Go has a good implementation of "context aware variables" when working with HTML. What are they and how do they work?
I'm guessing since it was related to security that it's some sort of variable that knows if it has been sanitized or not. Is it something like a class called unsanitizedString where it automatically sanitizes the contents when casting to a normal string?
答案1
得分: 4
html/template 包是上下文感知的。
该包理解 HTML、CSS、JavaScript 和 URIs。它为每个简单操作管道添加了清理函数。
因此,如果你有一个变量 Foo,其中包含 <script>alert('you have been pwned')</script>,并且你在一个 HTML 元素内打印它 <p>{{.Foo}}</p>,Foo 将被正确转义以避免脚本注入。
在使用 html/template 时,如果你想覆盖转义的发生时机,你必须为变量添加显式类型。
这里有一个示例。
英文:
The html/template package is context aware.
> This package understands HTML, CSS, JavaScript, and URIs. It adds sanitizing functions to each simple action pipeline
So if you have variable Foo that contains <script>alert('you have been pwned')</script> and you print it inside an html element <p>{{.Foo}}</p> Foo will be properly escaped to avoid script injection.
When using html/template you have to add explicet types to your variables if you want to override when escaping should happen.
Here is an example
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论