<p>I'm trying to do something like this: <a href="https://play.golang.org/p/4300MheGPS" rel="nofollow">https://play.golang.org/p/4300MheGPS</a></p>
<p>For some reason <code>template.HTML</code> will remove tags if you put the template variable as the attribute of a tag - how can I stop this? I want the output to be <code><input value="<b>text</b>"></code> in that example above.</p>
<hr/>**评论:**<br/><br/>SourLemon15: <pre><p>Try using the <code>template.HTMLAttr</code> type instead, like this: <a href="https://play.golang.org/p/TU5CX9Kstj" rel="nofollow">https://play.golang.org/p/TU5CX9Kstj</a></p>
<p>You just need to remember to set the entire attribute, like <code>value="<b>text</b>"</code> instead of only the value (<code><b>text</b></code>).</p>
<p><strong>Edit:</strong></p>
<p>Also, before using this method just remember that this is a security risk and could very easily introduce a vector of attack into your application that would allow for XSS.</p>
<p>The <a href="https://golang.org/pkg/html/template/#HTMLAttr" rel="nofollow">Go documentation here</a> also warns about the inherent security risk this introduces, so only use it with 100% trusted input if you have no other choice.</p></pre>qrv3w: <pre><p>I think this solution will work for me, thanks! The HTML is coming from <a href="https://trix-editor.org/" rel="nofollow">https://trix-editor.org/</a> which will escape tags on the input and only adds HTML internally. Also I will also be sanitizing it with bluemonday.</p></pre>earthboundkid: <pre><p><a href="http://xyproblem.info/" rel="nofollow">http://xyproblem.info/</a></p>
<p>The thing you are trying to do will produce invalid HTML. </p>
<p>What do you actually want to do?</p></pre>SourLemon15: <pre><p>As far as I can tell <code><input value="<b>text</b>"></code> isn't actually invalid HTML, at least in HTML5. You just need to escape any <code>"</code> and <code>&</code> characters inside the quotes from what I remember.</p>
<p>I haven't found anything myself to show that this is invalid, and all HTML5 validators I've tried have no problem with it, so is there anything you can point me to that says this is invalid?
Because if it is then I would really like to know so I can stop doing it in my own code for things like tooltips etc.</p>
<p>That said I don't know how well Go's templating will handle stuff like this. There is <code>template.HTMLAttr</code> which is what I suggested to use, but I tend to stay away from Go templating so I don't know how well <code>template.HTMLAttr</code> works in cases like this.</p>
<p>Good point about the XY problem though :)</p></pre>jerf: <pre><p>It is likely what <a href="/u/qrv3w" rel="nofollow">/u/qrv3w</a> really needs to do is <a href="https://play.golang.org/p/s_jkHt9kWl" rel="nofollow">this</a>, which is the original post with the <code>template.HTML</code> wrapper removed from the string.</p>
<p>Tags within attributes may not be invalid in HTML5, but it's still asking for trouble. For one thing, if the contents of <code>template.HTML</code> end up with user input in them, this will, despite the html/template's author's best efforts, end up permitting cross-site scripting attacks and such. It's just better to learn to "color within the lines" with HTML rather than use the escape hatches. <code>template.HTML</code> is for when you have a block of pre-encoded content, like a blog post stored as literal HTML.</p>
<p>The only conceivable reason I can imagine to want literal <code><b></code> within the value attribute is "I like the way it looks better than all that <code>&lt;b&gt;</code> stuff", and the solution to that is just to let that desire go. :)</p></pre>SourLemon15: <pre><p>I agree it's definitely asking for trouble assuming you can't 100% guarantee the contents of the HTML you want to output, and the Go documentation of course makes it abundantly clear that it is a security risk and should only be used on trusted sources.</p>
<p>In my own experience I have had to do what the OP is asking for so I could pass HTML formatted tooltips to a JS library that was just printing out any form of escaping as the literal values, which is why I just gave a straightforward answer. But of course I wouldn't inject any user input using this method.</p>
<p>My own answer to the question just assumed that things like XSS were obvious to be careful of, but I'll edit it to point directly to the documentation and mention the security issues, just in case anyone takes my answer at face value and just dumps it in their code.</p></pre>qrv3w: <pre><p>I am using the <a href="https://trix-editor.org" rel="nofollow">trix editor</a> which is HTML based. To repopulate the editor with saved content, the trix editor requires putting in HTML into the <code>value</code> attribute of an <code>input</code> tag (documented <a href="https://github.com/basecamp/trix#populating-with-stored-content" rel="nofollow">here</a>, and see the source of <a href="https://trix-editor.org" rel="nofollow">https://trix-editor.org</a> for another example). Therefore, I would most like to have code like <code><input id="content" value="{{ .HTML }}"></code> to repopulate the trix editor with the HTML when processing the template.</p>
<p>The editor can also be repopulated by setting it with Javascript, so my current workaround is to set set it a Javascript variable in the template, and then I have Javascript that unescapes it and then uses the <a href="https://github.com/basecamp/trix#inserting-html" rel="nofollow">trix API to update</a> it. Its not very elegant, so I was curious if I could directly just put it into the <code>value</code> attribute.</p></pre>
