Safe HTML for Go

Safe HTML for Go

safehtml provides immutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by construction against XSS and similar web vulnerabilities, and they can only be interpolated in safe ways. You can read more about our approach to web security in our whitepaper, or this OWASP talk.

Additional subpackages provide APIs for managing exceptions to the safety rules, and a template engine with a syntax and interface that closely matches html/template. You can refer to the godoc for each (sub)package for the API documentation and code examples. More end-to-end demos are available in example_test.go.

This is not an officially supported Google product.

Owner
Google
Google ❤️ Open Source
Google
Comments
  • Add support for parsing templates text from the file system fs instead of the host operating system's file system

    Add support for parsing templates text from the file system fs instead of the host operating system's file system

    Now that we have fs package, it would be useful to add ParseFS from the standard library package html/template into the safehtml/template API.

    func (t *Template) ParseFS(fs fs.FS, patterns ...string) (*Template, error)
    
  • Migrate packages that should not be imported to an internal directory

    Migrate packages that should not be imported to an internal directory

    Go build prevents external packages from importing anything below an "internal" directory in a package. "raw" and "safehtmlutils" should probably be moved to such a subdirectory to clarify their role.

  • tag with a version

    tag with a version

    It would be nice if this module had a real semantic version. That can be done by adding a tag of the form vX.Y.Z. If you think the API might change backwards-incompatibly, set X=0, else set X=1. I recommend 0 because even though this package has stabilized inside Google, you may find that external users have different requirements.

  • template: support embed.FS

    template: support embed.FS

    Add ParseEmbedFS and Template.ParseEmbedFS, which accept an embed.FS.

    The name is chosen so that ParseFS is free if we later decide to support other implementations of fs.FS.

    This implies that users of safehtml will need be on Go 1.16. Alternatively, we could put these functions under a go1.16 build tag.

    Fixes #7.

  • add support for html meta tag

    add support for html meta tag

    <meta name="Description" content="{{.Description}}">

    When dynamically setting the content attribute of a meta tag I get the following error.

    Critical: frontend.NewServer: NewServer(...): s.renderErrorPage(http.StatusInternalServerError, nil): html/template:base.tmpl:13:36: cannot escape action {{.Description}}: actions must not occur in the "content" attribute value context of a "meta" element

    This tag is useful for setting the description of a page in search results or link summary text for applications like slack and I think should be considered safe.

    golang/go#40752

  • safe identifier characters should include all Unicode alphanumerics

    safe identifier characters should include all Unicode alphanumerics

    The documentation for safe identifiers says "alphanumeric" characters are allowed, but the implementation supports only ASCII letters and numbers. Unless there are security issues with Unicode characters, they should be supported.

    Motivation: documentation sites that want to use language identifiers as (part of) fragments for easy navigation, e.g. https://pkg.go.dev.

    The change I'm suggesting would be from

    var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_a-zA-Z0-9]*$`)
    

    (https://github.com/google/safehtml/blob/v0.0.2/identifier.go#L49) to

    var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_\pL\pN]*$`)
    
  • empty safehtml.HTML is true, should be false

    empty safehtml.HTML is true, should be false

    There is an incompatibility with html/template. The empty escaped template value template.HTML("") is false an in if, just as the empty string is. But the zero value safehtml.HTML{} is true.

    See https://play.golang.org/p/iKB2uBICUX-.

HTML template engine for Go

Ace - HTML template engine for Go Overview Ace is an HTML template engine for Go. This is inspired by Slim and Jade. This is a refinement of Gold. Exa

Jan 4, 2023
Package damsel provides html outlining via css-selectors and common template functionality.

Damsel Markup language featuring html outlining via css-selectors, extensible via pkg html/template and others. Library This package expects to exist

Oct 23, 2022
Wrapper package for Go's template/html to allow for easy file-based template inheritance.

Extemplate Extemplate is a small wrapper package around html/template to allow for easy file-based template inheritance. File: templates/parent.tmpl <

Dec 6, 2022
Goview is a lightweight, minimalist and idiomatic template library based on golang html/template for building Go web application.

goview Goview is a lightweight, minimalist and idiomatic template library based on golang html/template for building Go web application. Contents Inst

Dec 25, 2022
Templating system for HTML and other text documents - go implementation

FAQ What is Kasia.go? Kasia.go is a Go implementation of the Kasia templating system. Kasia is primarily designed for HTML, but you can use it for any

Mar 15, 2022
Fast, powerful, yet easy to use template engine for Go. Optimized for speed, zero memory allocations in hot paths. Up to 20x faster than html/template

quicktemplate A fast, powerful, yet easy to use template engine for Go. Inspired by the Mako templates philosophy. Features Extremely fast. Templates

Dec 26, 2022
A strongly typed HTML templating language that compiles to Go code, and has great developer tooling.
A strongly typed HTML templating language that compiles to Go code, and has great developer tooling.

A language, command line tool and set of IDE extensions that makes it easier to write HTML user interfaces and websites using Go.

Dec 29, 2022
A template to build dynamic web apps quickly using Go, html/template and javascript
A template to build dynamic web apps quickly using Go, html/template and javascript

gomodest-template A modest template to build dynamic web apps in Go, HTML and sprinkles and spots of javascript. Why ? Build dynamic websites using th

Dec 29, 2022
mold your templated to HTML/ TEXT/ PDF easily.
mold your templated to HTML/ TEXT/ PDF easily.

mold mold your templated to HTML/ TEXT/ PDF easily. install go get github.com/mayur-tolexo/mold Example 1 //Todo model type Todo struct { Title stri

Jun 7, 2019
Golang Echo and html template.

golang-website-example Golang Echo and html template. move GitHub repository for hello to golang-website-example Visual Studio Code Run and Debug: lau

Feb 4, 2022
Supports the safe and convenient execution of asynchronous computations with goroutines and provides facilities for the safe retrieval of the computation results.

Rendezvous The Rendezvous library supports the safe and convenient execution of asynchronous computations with goroutines and provides facilities for

Dec 29, 2021
Safe HTML for Go

Safe HTML for Go safehtml provides immutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by constr

Dec 28, 2022
bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

bluemonday bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable. bluemonday takes untrusted user generated content as

Jan 4, 2023
Simple system for writing HTML/XML as Go code. Better-performing replacement for html/template and text/template

Simple system for writing HTML as Go code. Use normal Go conditionals, loops and functions. Benefit from typing and code analysis. Better performance than templating. Tiny and dependency-free.

Dec 5, 2022
VMail - check the markup (HTML, CSS) of HTML email template compatibility with email clients
VMail - check the markup (HTML, CSS) of HTML email template compatibility with email clients

VMail - check the markup (HTML, CSS) of HTML email template compatibility with email clients Email clients use different rendering standards. This is

Dec 17, 2022
This command line converts .html file into .html with images embed.

embed-html This command line converts .html file into .html with images embed. Install > go get github.com/gonejack/embed-html Usage > embed-html *.ht

Oct 6, 2022
Safe, simple and fast JSON Web Tokens for Go

jwt JSON Web Token for Go RFC 7519, also see jwt.io for more. The latest version is v3. Rationale There are many JWT libraries, but many of them are h

Jan 4, 2023
Concurrency-safe Go caching library with expiration capabilities and access counters

cache2go Concurrency-safe golang caching library with expiration capabilities. Installation Make sure you have a working Go environment (Go 1.2 or hig

Jan 1, 2023
A really basic thread-safe progress bar for Golang applications
A really basic thread-safe progress bar for Golang applications

progressbar A very simple thread-safe progress bar which should work on every OS without problems. I needed a progressbar for croc and everything I tr

Jan 2, 2023
Package ring provides a high performance and thread safe Go implementation of a bloom filter.

ring - high performance bloom filter Package ring provides a high performance and thread safe Go implementation of a bloom filter. Usage Please see th

Nov 20, 2022