Unescape css input in HTML

前端 未结 1 1417
说谎
说谎 2021-01-21 12:15

How do I unescape html?

I\'m passing a css file into html like this


I get this

<         


        
1条回答
  •  不思量自难忘°
    2021-01-21 13:21

    The Go HTML template package properly excapes CSS. Quoting from the documentation of the template package:

    The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.

    "ZgotmplZ" is a special value, it is used as a replacement if the value you're trying to include is invalid or unsafe in the context.

    So the problem is the CSS value you're trying to include, it is not safe. Try something simple first and see if it works, like:

    body {background-color: #000}
    

    Found the discussion of "ZgotmplZ" in the documentation (at type ErrorCode), quoting it:

    "ZgotmplZ" explanation:

    Example Template:

    
    where {{.X}} evaluates to `javascript:...`
    

    Discussion:

    "ZgotmplZ" is a special value that indicates that unsafe content reached a
    CSS or URL context at runtime. The output of the example will be
      
    If the data comes from a trusted source, use content types to exempt it
    from filtering: URL(`javascript:...`).
    

    Solution

    Since the code you try to insert is in the context of CSS code and not HTML, you can't/shouldn't use template.HTML(data).

    There is a predefined type CSS for safe inclusion of CSS code coming from trusted source, e.g. CSS code you specify and is not coming from an HTML form filled by the user. Example:

    var safeCss = template.CSS(`body {background-image: url("paper.gif");}`)
    

    And pass the safeCss value to your template parameter.

    0 讨论(0)
提交回复
热议问题