Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

html/templates - Replacing newlines with <br>

Tags:

html

templates

go

I'm loading a text file that has newlines in it, and pass it to html/templates.

Substituting the \n with <br> in the loaded string, they are escaped by the template to html &lt;br&gt; and displayed in the browser, instead of causing a line return.

How can I change this behavior without switching to text/templates (which doesn't have XSS protection)?

like image 747
toasted_flakes Avatar asked Dec 08 '12 15:12

toasted_flakes


4 Answers

The accepted answer can easily be turned into a custom template function:

func replaceNewline(s string) template.HTML {
    return template.HTML(strings.Replace(template.HTMLEscapeString(s), "\n", "<br>", -1))
}

Add it with func (*Template) Funcs

Example

package main

import (
    "html/template"
    "os"
    "strings"
)

const page = `<!DOCTYPE html>
<html>
  <body>
    <p>{{. | replaceNewline}}</p>
  </body>
</html>`

const text = `first line
<script>dangerous</script>
last line`

func main() {
    t := template.Must(template.New("page").Funcs(template.FuncMap{
        "replaceNewline": func(s string) template.HTML {
            return template.HTML(strings.Replace(template.HTMLEscapeString(s), "\n", "<br>", -1))
        },
    }).Parse(page))
    t.Execute(os.Stdout, text)
}

Output

<!DOCTYPE html>
<html>
  <body>
    <p>first line<br>&lt;script&gt;dangerous&lt;/script&gt;<br>last line</p>
  </body>
</html>

Go Playground

like image 193
ANisus Avatar answered Nov 20 '22 15:11

ANisus


It seems you could run template.HTMLEscape() on your text first to sanitize it, then do the \n to
substitution that you trust, then use that as pre-escaped and trusted template data.

Update: Expanding on Kocka's example, this is what I had in mind:

package main

import (
    "html/template"
    "os"
    "strings"
)

const page = `<!DOCTYPE html>
<html>
  <head>
  </head>
  <body>
    <p>{{.}}</p>
  </body>
</html>`

const text = `first line
<script>dangerous</script>
last line`

func main() {
    t := template.Must(template.New("page").Parse(page))
    safe := template.HTMLEscapeString(text)
    safe = strings.Replace(safe, "\n", "<br>", -1)
    t.Execute(os.Stdout, template.HTML(safe)) // template.HTML encapsulates a known safe HTML document fragment.
}

http://play.golang.org/p/JiH0uD5Zh2

Output is

<!DOCTYPE html>
<html>
  <head>
  </head>
  <body>
    <p>first line<br>&lt;script&gt;dangerous&lt;/script&gt;<br>last line</p>
  </body>
</html>

And text rendered in the browser is

first line
<script>dangerous</script>
last line
like image 23
Sonia Avatar answered Nov 20 '22 15:11

Sonia


Not sure where you're substituting \n for <br> but if it's in go, you can cast the string as template.HTML so it's not escaped.

See: http://golang.org/pkg/html/template/#HTML

If it's in a template, there should be a pipeline available, {{. | html}}

like image 4
dskinner Avatar answered Nov 20 '22 17:11

dskinner


You can do it like this:

package main

import (
    "html/template"
    "os"
)

const page = `<!DOCTYPE html>
<html>
  <head>
  </head>
  <body>
    <p>{{.}}</p>
  </body>
</html>`

func main() {
    t := template.Must(template.New("page").Parse(page))
    t.Execute(os.Stdout, template.HTML("<br>"))
}

Try it out!

like image 2
Kocka Avatar answered Nov 20 '22 15:11

Kocka