HTML Encoding happens even when equal signs are being used to turn off encoding

Question

HTML Encoding happens even when equal signs are being used to turn off encoding

marcsantiago opened this issue 3 years ago · 1 comments

The code seems to still encode html entities even when specifying escaping should not happen with the equal sign ({%s= text %}). It seems the issue is with the file below and it ignoring that encoding should be ignored and is forcing encoding on these characters <, >, ", \, &

https://github.com/timehop/nimbus/blob/1127cdc80453fe87ff9a1c33a48114e995f14bb9/vendor/github.com/valyala/quicktemplate/htmlescapewriter.go#L12

The Go standard html/template does this correctly. When you specify a string as template.HTML it does encode ampersands or any other html entity as we've explicitly turn that off.

Whereas with quicktemplate {%s= text %} works for everything but <, >, ", \, &

package main

import (
	"fmt"
	"html/template"
	"log"
	"os"
)

func main() {
	check := func(err error) {
		if err != nil {
			log.Fatal(err)
		}
	}

	markup := `<img src="foobar.com?key=value&key2=value2&key3=value3">`
	t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
	check(err)

	// with HTML encoding e.g & -> &amp;
	err = t.ExecuteTemplate(os.Stdout, "T", markup)
	check(err)
	fmt.Printf("\n\n")
	// without HTML encoding & -> &
	err = t.ExecuteTemplate(os.Stdout, "T", template.HTML(markup))
        check(err)
}

Answer 1 · 2021-06-11T22:06:51.000Z

Closing, this is my mistake