Why Does My Go HTML Template Output 'ZgotmplZ'?-Golang-php.cn

Why Does My Go HTML Template Output 'ZgotmplZ'?

Linda Hamilton

Release： 2024-12-17 18:59:11

Original

309 people have browsed it

Why Does My Go HTML Template Output

Understanding "ZgotmplZ" in Go HTML Templates

When working with Go HTML templates, you may encounter the enigmatic string "ZgotmplZ" as output. This peculiar value has a specific meaning that demands attention.

Why ZgotmplZ Appears

"ZgotmplZ" emerges when potentially unsafe content enters a CSS or URL context during runtime. This occurs when HTML is embedded directly into CSS or URL attributes, which can introduce security vulnerabilities. To protect against these risks, the template engine inserts "ZgotmplZ" as a placeholder, preventing the unsafe content from being executed.

A Sample Example

Consider the following template code:

func printSelected(s string) string {
    if s == "test" {
        return `selected="selected"`
    }
    return ""
}

func main() {
    funcMap := template.FuncMap{
        "printSelected": printSelected,
        "safe": func(s string) template.HTML {
            return template.HTML(s)
        },
    }
    template.Must(template.New("Template").Funcs(funcMap).Parse(`
        <option {{ printSelected "test" }} {{ printSelected "test" | safe }} >test</option>
    `)).Execute(os.Stdout, nil)

}

Copy after login

When executed, this template produces the output:

<option ZgotmplZ ZgotmplZ >test</option>

Copy after login

Securing Template Output

To ensure the safety of your template output, you can utilize "funcMap" to implement the "attr" and "safe" functions:

func attr(s string) template.HTMLAttr {
    return template.HTMLAttr(s)
}

func main() {
    funcMap := template.FuncMap{
        "attr": attr,
        "safe": func(s string) template.HTML {
            return template.HTML(s)
        },
    }

    template.Must(template.New("Template").Funcs(funcMap).Parse(`
        <option {{.attr | attr}}>test</option>
        {{.html | safe}}
    `)).Execute(os.Stdout, map[string]string{
        "attr": `selected="selected"`,
        "html": `<option selected="selected">option</option>`,
    })
}

Copy after login

This modified code results in the following output:

<option selected="selected">test</option>
<option selected="selected">option</option>

Copy after login

Conclusion

By understanding the significance of "ZgotmplZ" and implementing the "attr" and "safe" functions, you can ensure that your Go HTML templates produce safe and secure output, minimizing the risk of vulnerabilities and preserving the integrity of your applications.

The above is the detailed content of Why Does My Go HTML Template Output 'ZgotmplZ'?. For more information, please follow other related articles on the PHP Chinese website!