Go: html/template: template.HTML being escaped (rather than included verbatim) sometimes

Created on 29 Jun 2017  路  4Comments  路  Source: golang/go

I've spotted a regression in html/template behavior in Go 1.9 Beta 2.

I investigated and was able to reduce it the following relatively minimal test case.

https://play.golang.org/p/BrsSxT5CQK

Output with go1.8.3:

Hello, <strong>gopher</strong>.

---

<html>
    <body>
        Hello, <strong>gopher</strong>.
    </body>
</html>

Output with go1.9beta2:

Hello, <strong>gopher</strong>.

---

<html>
    <body>
        Hello, &lt;strong&gt;gopher&lt;/strong&gt;.
    </body>
</html>

I suspected this is caused by CL 37880, and I've confirmed that hunch. 9ffd9339da503b50571ec6806e5d6d2cf5d5912a is the first bad commit; its parent does not have the regression. /cc @stjj89 @rsc @mikesamuel @cespare

My understanding is that this is an unintended bug, because the commit message says:

html/template: panic if predefined escapers are found in pipelines during rewriting

Report an error if ...

But no panics/errors are reported. Only the output is different.

_(Adding milestone Go1.9, please let me know if that's not correct.)_

FrozenDueToAge NeedsInvestigation release-blocker
Source
picture dmitshur

Most helpful comment

Thanks for reporting this. The problem is that {{renderHTML}} gets rewritten to {{renderHTML | _html_template_htmlescaper}} after template "hello" is autoescaped, but then gets further written rewritten to {{renderHTML | _html_template_htmlescaper | _html_template_htmlescaper}} after the main template is autoescaped, which leads to the overescaping.

9ffd933 removed some logic that would prevent this duplicate escaper from being inserted. I'm working on a fix right now.

picture stjj89 on 29 Jun 2017
👍3

All 4 comments

@stjj89

mikesamuel picture mikesamuel on 29 Jun 2017

Thanks for reporting this. The problem is that {{renderHTML}} gets rewritten to {{renderHTML | _html_template_htmlescaper}} after template "hello" is autoescaped, but then gets further written rewritten to {{renderHTML | _html_template_htmlescaper | _html_template_htmlescaper}} after the main template is autoescaped, which leads to the overescaping.

9ffd933 removed some logic that would prevent this duplicate escaper from being inserted. I'm working on a fix right now.

stjj89 picture stjj89 on 29 Jun 2017
👍3

CL https://golang.org/cl/47256 mentions this issue.

gopherbot picture gopherbot on 30 Jun 2017

Note that the reported issue only occurs because template "hello" is executed (and thus escaped) on its own, before being executed as a nested template in the main template. All is well if the main template is directly executed. I've added logic in https://golang.org/cl/47256 to account for these edge cases.

stjj89 picture stjj89 on 30 Jun 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lkarlslund picture lkarlslund  路  3Comments
rsc picture rsc  路  3Comments
ashb picture ashb  路  3Comments
stub42 picture stub42  路  3Comments
michaelsafyan picture michaelsafyan  路  3Comments