template

• func (e *Error) Error() string

• func Must(t *Template, err error) *Template
• func New(name string) *Template
• func ParseFS(fs fs.FS, patterns . string) (*Template, error)
• func ParseFiles(filenames . string) (*Template, error)
• func ParseGlob(pattern string) (*Template, error)

• func (t *Template) AddParseTree(name string, tree *parse.Tree) (*Template, error)
• func (t *Template) Clone() (*Template, error)
• func (t *Template) DefinedTemplates() string
• func (t *Template) Delims(left, right string) *Template
• func (t *Template) Execute(wr io.Writer, data any) error
• func (t *Template) ExecuteTemplate(wr io.Writer, name string, data any) error
• func (t *Template) Funcs(funcMap FuncMap) *Template
• func (t *Template) Lookup(name string) *Template
• func (t *Template) Name() string
• func (t *Template) New(name string) *Template
• func (t *Template) Option(opt . string) *Template
• func (t *Template) Parse(text string) (*Template, error)
• func (t *Template) ParseFS(fs fs.FS, patterns . string) (*Template, error)
• func (t *Template) ParseFiles(filenames . string) (*Template, error)
• func (t *Template) ParseGlob(pattern string) (*Template, error)
• func (t *Template) Templates() []*Template

Examples ¶

• Package
• Package (Autoescaping)
• Package (Escape)
• Template (Block)
• Template (Glob)
• Template (Helpers)
• Template (Parsefiles)
• Template (Share)
• Template.Delims

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func HTMLEscape ¶

func HTMLEscape(w io.Writer, b []byte)

HTMLEscape writes to w the escaped HTML equivalent of the plain text data b.

func HTMLEscapeString ¶

func HTMLEscapeString(s string) string

HTMLEscapeString returns the escaped HTML equivalent of the plain text data s.

func HTMLEscaper ¶

func HTMLEscaper(args . any) string

HTMLEscaper returns the escaped HTML equivalent of the textual representation of its arguments.

func IsTrue ¶ added in go1.6

func IsTrue(val any) (truth, ok bool)

IsTrue reports whether the value is 'true', in the sense of not the zero of its type, and whether the value has a meaningful truth value. This is the definition of truth used by if and other such actions.

func JSEscape ¶

func JSEscape(w io.Writer, b []byte)

JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.

func JSEscapeString ¶

func JSEscapeString(s string) string

JSEscapeString returns the escaped JavaScript equivalent of the plain text data s.

func JSEscaper ¶

func JSEscaper(args . any) string

JSEscaper returns the escaped JavaScript equivalent of the textual representation of its arguments.

func URLQueryEscaper ¶

func URLQueryEscaper(args . any) string

URLQueryEscaper returns the escaped value of the textual representation of its arguments in a form suitable for embedding in a URL query.

Types ¶

type CSS ¶

CSS encapsulates known safe content that matches any of:

1. The CSS3 stylesheet production, such as `p < color: purple >`.
2. The CSS3 rule production, such as `a[href=~"https:"].foo#bar`.
3. CSS3 declaration productions, such as `color: red; margin: 2px`.
4. The CSS3 value production, such as `rgba(0, 0, 255, 127)`.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type Error ¶

type Error struct < // ErrorCode describes the kind of error.  ErrorCode ErrorCode // Node is the node that caused the problem, if known.  // If not nil, it overrides Name and Line. Node parse.Node // Name is the name of the template in which the error was encountered.  Name string // Line is the line number of the error in the template source or 0.  Line int // Description is a human-readable description of the problem.  Description string >

Error describes a problem encountered during template Escaping.

func (*Error) Error ¶

func (e *Error) Error() string

type ErrorCode ¶

ErrorCode is a code for a kind of error.

We define codes for each error that manifests while escaping templates, but escaped templates may also fail at runtime.

Output: "ZgotmplZ" Example:

 where > evaluates to `javascript. `

"ZgotmplZ" is a special value that indicates that unsafe content reached a CSS or URL context at runtime. The output of the example will be If the data comes from a trusted source, use content types to exempt it from filtering: URL(`javascript. `).

type FuncMap ¶

type FuncMap = template.FuncMap

type HTML ¶

HTML encapsulates a known safe HTML document fragment. It should not be used for HTML from a third-party, or HTML with unclosed tags or comments. The outputs of a sound HTML sanitizer and a template escaped by this package are fine for use with HTML.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type HTMLAttr ¶

HTMLAttr encapsulates an HTML attribute from a trusted source, for example, ` dir="ltr"`.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type JS ¶

JS encapsulates a known safe EcmaScript5 Expression, for example, `(x + y * z())`. Template authors are responsible for ensuring that typed expressions do not break the intended precedence and that there is no statement/expression ambiguity as when passing an expression like "< foo: bar() >\n['foo']()", which is both a valid Expression and a valid Program with a very different meaning.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.

type JSStr ¶

JSStr encapsulates a sequence of characters meant to be embedded between quotes in a JavaScript expression. The string must match a series of StringCharacters:

StringCharacter :: SourceCharacter but not `\` or LineTerminator | EscapeSequence

Note that LineContinuations are not allowed. JSStr("foo\\nbar") is fine, but JSStr("foo\\\nbar") is not.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type Srcset ¶ added in go1.10

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

type Template ¶

type Template struct < // The underlying template's parse tree, updated to be HTML-safe.  Tree *parse.Tree // contains filtered or unexported fields >

Template is a specialized Template from "text/template" that produces a safe HTML document fragment.

package main import ( "html/template" "log" "os" "strings" ) func main() < const ( master = `Names:>>>>>>` overlay = `> >> ` ) var ( funcs = template.FuncMap guardians = []string ) masterTmpl, err := template.New("master").Funcs(funcs).Parse(master) if err != nil < log.Fatal(err) >overlayTmpl, err := template.Must(masterTmpl.Clone()).Parse(overlay) if err != nil < log.Fatal(err) >if err := masterTmpl.Execute(os.Stdout, guardians); err != nil < log.Fatal(err) >if err := overlayTmpl.Execute(os.Stdout, guardians); err != nil < log.Fatal(err) >>

Output: Names: - Gamora - Groot - Nebula - Rocket - Star-Lord Names: Gamora, Groot, Nebula, Rocket, Star-Lord 

Share Format Run

Here we demonstrate loading a set of templates from a directory.

package main import ( "io" "log" "os" "path/filepath" "text/template" ) // templateFile defines the contents of a template to be stored in a file, for testing. type templateFile struct < name string contents string >func createTestDir(files []templateFile) string < dir, err := os.MkdirTemp("", "template") if err != nil < log.Fatal(err) >for _, file := range files < f, err := os.Create(filepath.Join(dir, file.name)) if err != nil < log.Fatal(err) >defer f.Close() _, err = io.WriteString(f, file.contents) if err != nil < log.Fatal(err) >> return dir > func main() < // Here we create a temporary directory and populate it with our sample // template definition files; usually the template files would already // exist in some location known to the program. dir := createTestDir([]templateFile< // T0.tmpl is a plain template file that just invokes T1. >)`>, // T1.tmpl defines a template, T1 that invokes T2. >T1 invokes T2: (>)>`>, // T2.tmpl defines a template T2. >This is T2>`>, >) // Clean up after the test; another quirk of running as an example. defer os.RemoveAll(dir) // pattern is the glob pattern used to find all the template files. pattern := filepath.Join(dir, "*.tmpl") // Here starts the example proper. // T0.tmpl is the first name matched, so it becomes the starting template, // the value returned by ParseGlob. tmpl := template.Must(template.ParseGlob(pattern)) err := tmpl.Execute(os.Stdout, nil) if err != nil < log.Fatalf("template execution: %s", err) >>

Output: T0 invokes T1: (T1 invokes T2: (This is T2)) 

Share Format Run

This example demonstrates one way to share some templates and use them in different contexts. In this variant we add multiple driver templates by hand to an existing bundle of templates.

package main import ( "io" "log" "os" "path/filepath" "text/template" ) // templateFile defines the contents of a template to be stored in a file, for testing. type templateFile struct < name string contents string >func createTestDir(files []templateFile) string < dir, err := os.MkdirTemp("", "template") if err != nil < log.Fatal(err) >for _, file := range files < f, err := os.Create(filepath.Join(dir, file.name)) if err != nil < log.Fatal(err) >defer f.Close() _, err = io.WriteString(f, file.contents) if err != nil < log.Fatal(err) >> return dir > func main() < // Here we create a temporary directory and populate it with our sample // template definition files; usually the template files would already // exist in some location known to the program. dir := createTestDir([]templateFile< // T1.tmpl defines a template, T1 that invokes T2. >T1 invokes T2: (>)>`>, // T2.tmpl defines a template T2. >This is T2>`>, >) // Clean up after the test; another quirk of running as an example. defer os.RemoveAll(dir) // pattern is the glob pattern used to find all the template files. pattern := filepath.Join(dir, "*.tmpl") // Here starts the example proper. // Load the helpers. templates := template.Must(template.ParseGlob(pattern)) // Add one driver template to the bunch; we do this with an explicit template definition. _, err := templates.Parse(">Driver 1 calls T1: (>)\n>") if err != nil < log.Fatal("parsing driver1: ", err) >// Add another driver template. _, err = templates.Parse(">Driver 2 calls T2: (>)\n>") if err != nil < log.Fatal("parsing driver2: ", err) >// We load all the templates before execution. This package does not require // that behavior but html/template's escaping does, so it's a good habit. err = templates.ExecuteTemplate(os.Stdout, "driver1", nil) if err != nil < log.Fatalf("driver1 execution: %s", err) >err = templates.ExecuteTemplate(os.Stdout, "driver2", nil) if err != nil < log.Fatalf("driver2 execution: %s", err) >>

Output: Driver 1 calls T1: (T1 invokes T2: (This is T2)) Driver 2 calls T2: (This is T2) 

Share Format Run

Here we demonstrate loading a set of templates from files in different directories

package main import ( "io" "log" "os" "path/filepath" "text/template" ) // templateFile defines the contents of a template to be stored in a file, for testing. type templateFile struct < name string contents string >func createTestDir(files []templateFile) string < dir, err := os.MkdirTemp("", "template") if err != nil < log.Fatal(err) >for _, file := range files < f, err := os.Create(filepath.Join(dir, file.name)) if err != nil < log.Fatal(err) >defer f.Close() _, err = io.WriteString(f, file.contents) if err != nil < log.Fatal(err) >> return dir > func main() < // Here we create different temporary directories and populate them with our sample // template definition files; usually the template files would already // exist in some location known to the program. dir1 := createTestDir([]templateFile< // T1.tmpl is a plain template file that just invokes T2. >)`>, >) dir2 := createTestDir([]templateFile< // T2.tmpl defines a template T2. >This is T2>`>, >) // Clean up after the test; another quirk of running as an example. defer func(dirs . string) < for _, dir := range dirs < os.RemoveAll(dir) >>(dir1, dir2) // Here starts the example proper. // Let's just parse only dir1/T0 and dir2/T2 paths := []string < filepath.Join(dir1, "T1.tmpl"), filepath.Join(dir2, "T2.tmpl"), >tmpl := template.Must(template.ParseFiles(paths. )) err := tmpl.Execute(os.Stdout, nil) if err != nil < log.Fatalf("template execution: %s", err) >>

Output: T1 invokes T2: (This is T2) 

Share Format Run

This example demonstrates how to use one group of driver templates with distinct sets of helper templates.

package main import ( "io" "log" "os" "path/filepath" "text/template" ) // templateFile defines the contents of a template to be stored in a file, for testing. type templateFile struct < name string contents string >func createTestDir(files []templateFile) string < dir, err := os.MkdirTemp("", "template") if err != nil < log.Fatal(err) >for _, file := range files < f, err := os.Create(filepath.Join(dir, file.name)) if err != nil < log.Fatal(err) >defer f.Close() _, err = io.WriteString(f, file.contents) if err != nil < log.Fatal(err) >> return dir > func main() < // Here we create a temporary directory and populate it with our sample // template definition files; usually the template files would already // exist in some location known to the program. dir := createTestDir([]templateFile< // T0.tmpl is a plain template file that just invokes T1. > version) invokes T1: (>)\n">, // T1.tmpl defines a template, T1 that invokes T2. Note T2 is not defined >T1 invokes T2: (>)>`>, >) // Clean up after the test; another quirk of running as an example. defer os.RemoveAll(dir) // pattern is the glob pattern used to find all the template files. pattern := filepath.Join(dir, "*.tmpl") // Here starts the example proper. // Load the drivers. drivers := template.Must(template.ParseGlob(pattern)) // We must define an implementation of the T2 template. First we clone // the drivers, then add a definition of T2 to the template name space. // 1. Clone the helper set to create a new name space from which to run them. first, err := drivers.Clone() if err != nil < log.Fatal("cloning helpers: ", err) >// 2. Define T2, version A, and parse it. _, err = first.Parse(">T2, version A>") if err != nil < log.Fatal("parsing T2: ", err) >// Now repeat the whole thing, using a different version of T2. // 1. Clone the drivers. second, err := drivers.Clone() if err != nil < log.Fatal("cloning drivers: ", err) >// 2. Define T2, version B, and parse it. _, err = second.Parse(">T2, version B>") if err != nil < log.Fatal("parsing T2: ", err) >// Execute the templates in the reverse order to verify the // first is unaffected by the second. err = second.ExecuteTemplate(os.Stdout, "T0.tmpl", "second") if err != nil < log.Fatalf("second execution: %s", err) >err = first.ExecuteTemplate(os.Stdout, "T0.tmpl", "first") if err != nil < log.Fatalf("first: execution: %s", err) >>

Output: T0 (second version) invokes T1: (T1 invokes T2: (T2, version B)) T0 (first version) invokes T1: (T1 invokes T2: (T2, version A)) 

Share Format Run

func Must ¶

func Must(t *Template, err error) *Template

Must is a helper that wraps a call to a function returning (*Template, error) and panics if the error is non-nil. It is intended for use in variable initializations such as

var t = template.Must(template.New("name").Parse("html"))

func New ¶

func New(name string) *Template

New allocates a new HTML template with the given name.

func ParseFS ¶ added in go1.16

func ParseFS(fs fs.FS, patterns . string) (*Template, error)

ParseFS is like ParseFiles or ParseGlob but reads from the file system fs instead of the host operating system's file system. It accepts a list of glob patterns. (Note that most file names serve as glob patterns matching only themselves.)

func ParseFiles ¶

func ParseFiles(filenames . string) (*Template, error)

ParseFiles creates a new Template and parses the template definitions from the named files. The returned template's name will have the (base) name and (parsed) contents of the first file. There must be at least one file. If an error occurs, parsing stops and the returned *Template is nil.

When parsing multiple files with the same name in different directories, the last one mentioned will be the one that results. For instance, ParseFiles("a/foo", "b/foo") stores "b/foo" as the template named "foo", while "a/foo" is unavailable.

func ParseGlob ¶

func ParseGlob(pattern string) (*Template, error)

ParseGlob creates a new Template and parses the template definitions from the files identified by the pattern. The files are matched according to the semantics of filepath.Match, and the pattern must match at least one file. The returned template will have the (base) name and (parsed) contents of the first file matched by the pattern. ParseGlob is equivalent to calling ParseFiles with the list of files matched by the pattern.

When parsing multiple files with the same name in different directories, the last one mentioned will be the one that results.

func (*Template) AddParseTree ¶

func (t *Template) AddParseTree(name string, tree *parse.Tree) (*Template, error)

AddParseTree creates a new template with the name and parse tree and associates it with t.

It returns an error if t or any associated template has already been executed.

func (*Template) Clone ¶

func (t *Template) Clone() (*Template, error)

Clone returns a duplicate of the template, including all associated templates. The actual representation is not copied, but the name space of associated templates is, so further calls to Template.Parse in the copy will add templates to the copy but not to the original. Template.Clone can be used to prepare common templates and use them with variant definitions for other templates by adding the variants after the clone is made.

It returns an error if t has already been executed.

func (*Template) DefinedTemplates ¶ added in go1.6

func (t *Template) DefinedTemplates() string

DefinedTemplates returns a string listing the defined templates, prefixed by the string "; defined templates are: ". If there are none, it returns the empty string. Used to generate an error message.

func (*Template) Delims ¶

func (t *Template) Delims(left, right string) *Template

Delims sets the action delimiters to the specified strings, to be used in subsequent calls to Template.Parse, ParseFiles, or ParseGlob. Nested template definitions will inherit the settings. An empty delimiter stands for the corresponding default: >. The return value is the template, so calls can be chained.

package main import ( "html/template" "log" "os" ) func main() < const text = "> >" data := struct < Greeting string Name string > < Greeting: "Hello", Name: "Joe", >t := template.Must(template.New("tpl").Delims(">").Parse(text)) err := t.Execute(os.Stdout, data) if err != nil < log.Fatal(err) >>

Output: Hello > 

Share Format Run

func (*Template) Execute ¶

func (t *Template) Execute(wr io.Writer, data any) error

Execute applies a parsed template to the specified data object, writing the output to wr. If an error occurs executing the template or writing its output, execution stops, but partial results may already have been written to the output writer. A template may be executed safely in parallel, although if parallel executions share a Writer the output may be interleaved.

func (*Template) ExecuteTemplate ¶

func (t *Template) ExecuteTemplate(wr io.Writer, name string, data any) error

ExecuteTemplate applies the template associated with t that has the given name to the specified data object and writes the output to wr. If an error occurs executing the template or writing its output, execution stops, but partial results may already have been written to the output writer. A template may be executed safely in parallel, although if parallel executions share a Writer the output may be interleaved.

func (*Template) Funcs ¶

func (t *Template) Funcs(funcMap FuncMap) *Template

Funcs adds the elements of the argument map to the template's function map. It must be called before the template is parsed. It panics if a value in the map is not a function with appropriate return type. However, it is legal to overwrite elements of the map. The return value is the template, so calls can be chained.

func (*Template) Lookup ¶

func (t *Template) Lookup(name string) *Template

Lookup returns the template with the given name that is associated with t, or nil if there is no such template.

func (*Template) Name ¶

func (t *Template) Name() string

Name returns the name of the template.

func (*Template) New ¶

func (t *Template) New(name string) *Template

New allocates a new HTML template associated with the given one and with the same delimiters. The association, which is transitive, allows one template to invoke another with a > action.

If a template with the given name already exists, the new HTML template will replace it. The existing template will be reset and disassociated with t.

func (*Template) Option ¶ added in go1.5

func (t *Template) Option(opt . string) *Template

Option sets options for the template. Options are described by strings, either a simple string or "key=value". There can be at most one equals sign in an option string. If the option string is unrecognized or otherwise invalid, Option panics.

missingkey: Control the behavior during execution if a map is indexed with a key that is not present in the map.

"missingkey=default" or "missingkey=invalid" The default behavior: Do nothing and continue execution. If printed, the result of the index operation is the string "". "missingkey=zero" The operation returns the zero value for the map type's element. "missingkey=error" Execution stops immediately with an error.

func (*Template) Parse ¶

func (t *Template) Parse(text string) (*Template, error)

Parse parses text as a template body for t. Named template definitions (> or > statements) in text define additional templates associated with t and are removed from the definition of t itself.

Templates can be redefined in successive calls to Parse, before the first use of Template.Execute on t or any associated template. A template definition with a body containing only white space and comments is considered empty and will not replace an existing template's body. This allows using Parse to add new named template definitions without overwriting the main template body.

func (*Template) ParseFS ¶ added in go1.16

func (t *Template) ParseFS(fs fs.FS, patterns . string) (*Template, error)

ParseFS is like Template.ParseFiles or Template.ParseGlob but reads from the file system fs instead of the host operating system's file system. It accepts a list of glob patterns. (Note that most file names serve as glob patterns matching only themselves.)

func (*Template) ParseFiles ¶

func (t *Template) ParseFiles(filenames . string) (*Template, error)

ParseFiles parses the named files and associates the resulting templates with t. If an error occurs, parsing stops and the returned template is nil; otherwise it is t. There must be at least one file.

When parsing multiple files with the same name in different directories, the last one mentioned will be the one that results.

ParseFiles returns an error if t or any associated template has already been executed.

func (*Template) ParseGlob ¶

func (t *Template) ParseGlob(pattern string) (*Template, error)

ParseGlob parses the template definitions in the files identified by the pattern and associates the resulting templates with t. The files are matched according to the semantics of filepath.Match, and the pattern must match at least one file. ParseGlob is equivalent to calling t.ParseFiles with the list of files matched by the pattern.

When parsing multiple files with the same name in different directories, the last one mentioned will be the one that results.

ParseGlob returns an error if t or any associated template has already been executed.

func (*Template) Templates ¶

func (t *Template) Templates() []*Template

Templates returns a slice of the templates associated with t, including t itself.

type URL ¶

URL encapsulates a known safe URL or URL substring (see RFC 3986). A URL like `javascript:checkThatFormNotEditedBeforeLeavingPage()` from a trusted source should go in the page, but by default dynamic `javascript:` URLs are filtered out since they are a frequently exploited injection vector.

Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.