Two questions: is the standard http router "enough" for a safe server, and templating security

agolangf · · 507 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I&#39;ll probably delete this since it&#39;s two unrelated questions, but these have been burning in my mind for several months, and I can&#39;t seem to figure it out.</p> <p>1) Is the standard router to my files &#34;enough&#34; to start building a safe server from? I realize it&#39;s not going to have many of the features a typical website would have, but are there safety considerations or other issues to think about <strong>before</strong> I start scaling? I&#39;d love to tinker from the ground up, instead of using a library that already has a lot of the features I would like to build towards, in order to learn. </p> <p>2) Second, if I&#39;m using all server-sided logic with no user input, is the standard templating library considered (text/template) safe? Or should I still use html/template? There are some templating tasks that are essentially impossible to perform if I&#39;m escaping html. But I want to be thorough in how I think about this, for future security&#39;s sake. </p> <p>I realize these are beginner&#39;s questions, but every time I start a small web project, I doubt myself when I start to scale it a little. Thanks so much! I may never have learned to love playing with Go had it not been for this community.</p> <hr/>**评论:**<br/><br/>cube2222: <pre><p>So to answer both of your questions:</p> <ol> <li><p>Basically, use the standard library whenever there isn&#39;t a sure reason not to. It&#39;s well thought through and very well written, you shouldn&#39;t have problems with it.</p></li> <li><p>Well, the no user input part at all makes me think it could be enough to use text/template. However, for future security&#39;s sake better use the html/template library. Because when you scale you may not notice when you actually start accepting user input and forget to change to html/template.</p></li> </ol> <p>Good luck with your web app!</p></pre>plasticmacaroni: <pre><p>Thank you so much! You&#39;ve given me peace of mind; I think PHP makes me distrust everything.</p></pre>dankcode: <pre><p>1) Yes provided that you don&#39;t need more complicated route resolution patterns. The stdlib is fine but the routing paths are rather limited. 2) Html/template is preferred to text/template for html. The text/template lib has less functionality available to it out of the box.</p></pre>plasticmacaroni: <pre><p>Thank you! I had a lot of problems performing some of the logic behind adding elements to the page in the html/template package before, which obviously escapes things the text/template package doesn&#39;t. I&#39;ll give it another ...go... (heh heh)</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

507 次点击  
加入收藏 微博
0 回复
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传