Home/ Questions/Q 8970983
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T17:50:39+00:00

I’m loading a text file that has newlines in it, and pass it to

  • 0

I’m loading a text file that has newlines in it, and pass it to html/templates.

Substituting the \n with <br> in the loaded string, they are escaped by the template to html &lt;br&gt; and displayed in the browser, instead of causing a line return.

How can I change this behavior without switching to text/templates (which doesn’t have XSS protection)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It seems you could run template.HTMLEscape() on your text first to sanitize it, then do the \n to
    substitution that you trust, then use that as pre-escaped and trusted template data.

    Update: Expanding on Kocka’s example, this is what I had in mind:

    package main

import (
    "html/template"
    "os"
    "strings"
)

const page = `<!DOCTYPE html>
<html>
  <head>
  </head>
  <body>
    <p>{{.}}</p>
  </body>
</html>`

const text = `first line
<script>dangerous</script>
last line`

func main() {
    t := template.Must(template.New("page").Parse(page))
    safe := template.HTMLEscapeString(text)
    safe = strings.Replace(safe, "\n", "<br>", -1)
    t.Execute(os.Stdout, template.HTML(safe)) // template.HTML encapsulates a known safe HTML document fragment.
}

    http://play.golang.org/p/JiH0uD5Zh2

    Output is

    <!DOCTYPE html>
<html>
  <head>
  </head>
  <body>
    <p>first line<br>&lt;script&gt;dangerous&lt;/script&gt;<br>last line</p>
  </body>
</html>

    And text rendered in the browser is

    first line
<script>dangerous</script>
last line
    • 0