Safe HTML for Go

Overview

Safe HTML for Go

safehtml provides immutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by construction against XSS and similar web vulnerabilities, and they can only be interpolated in safe ways. You can read more about our approach to web security in our whitepaper, or this OWASP talk.

Additional subpackages provide APIs for managing exceptions to the safety rules, and a template engine with a syntax and interface that closely matches html/template. You can refer to the godoc for each (sub)package for the API documentation and code examples. More end-to-end demos are available in example_test.go.

This is not an officially supported Google product.

Comments
  • Add support for parsing templates text from the file system fs instead of the host operating system's file system

    Add support for parsing templates text from the file system fs instead of the host operating system's file system

    Now that we have fs package, it would be useful to add ParseFS from the standard library package html/template into the safehtml/template API.

    func (t *Template) ParseFS(fs fs.FS, patterns ...string) (*Template, error)
    
    opened by aantelov87 12
  • Migrate packages that should not be imported to an internal directory

    Migrate packages that should not be imported to an internal directory

    Go build prevents external packages from importing anything below an "internal" directory in a package. "raw" and "safehtmlutils" should probably be moved to such a subdirectory to clarify their role.

    opened by empijei 1
  • tag with a version

    tag with a version

    It would be nice if this module had a real semantic version. That can be done by adding a tag of the form vX.Y.Z. If you think the API might change backwards-incompatibly, set X=0, else set X=1. I recommend 0 because even though this package has stabilized inside Google, you may find that external users have different requirements.

    opened by jba 1
  • template: support embed.FS

    template: support embed.FS

    Add ParseEmbedFS and Template.ParseEmbedFS, which accept an embed.FS.

    The name is chosen so that ParseFS is free if we later decide to support other implementations of fs.FS.

    This implies that users of safehtml will need be on Go 1.16. Alternatively, we could put these functions under a go1.16 build tag.

    Fixes #7.

    opened by jba 0
  • add support for html meta tag

    add support for html meta tag

    <meta name="Description" content="{{.Description}}">

    When dynamically setting the content attribute of a meta tag I get the following error.

    Critical: frontend.NewServer: NewServer(...): s.renderErrorPage(http.StatusInternalServerError, nil): html/template:base.tmpl:13:36: cannot escape action {{.Description}}: actions must not occur in the "content" attribute value context of a "meta" element

    This tag is useful for setting the description of a page in search results or link summary text for applications like slack and I think should be considered safe.

    golang/go#40752

    enhancement 
    opened by jamalc 0
  • safe identifier characters should include all Unicode alphanumerics

    safe identifier characters should include all Unicode alphanumerics

    The documentation for safe identifiers says "alphanumeric" characters are allowed, but the implementation supports only ASCII letters and numbers. Unless there are security issues with Unicode characters, they should be supported.

    Motivation: documentation sites that want to use language identifiers as (part of) fragments for easy navigation, e.g. https://pkg.go.dev.

    The change I'm suggesting would be from

    var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_a-zA-Z0-9]*$`)
    

    (https://github.com/google/safehtml/blob/v0.0.2/identifier.go#L49) to

    var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_\pL\pN]*$`)
    
    opened by jba 0
  • empty safehtml.HTML is true, should be false

    empty safehtml.HTML is true, should be false

    There is an incompatibility with html/template. The empty escaped template value template.HTML("") is false an in if, just as the empty string is. But the zero value safehtml.HTML{} is true.

    See https://play.golang.org/p/iKB2uBICUX-.

    bug documentation 
    opened by jba 3
Releases(v0.1.0)
Owner
Google
Google ❤️ Open Source
Google
HTML template engine for Go

Ace - HTML template engine for Go Overview Ace is an HTML template engine for Go. This is inspired by Slim and Jade. This is a refinement of Gold. Exa

Keiji Yoshida 825 Dec 7, 2022
Package damsel provides html outlining via css-selectors and common template functionality.

Damsel Markup language featuring html outlining via css-selectors, extensible via pkg html/template and others. Library This package expects to exist

Daniel Skinner 24 Oct 23, 2022
Wrapper package for Go's template/html to allow for easy file-based template inheritance.

Extemplate Extemplate is a small wrapper package around html/template to allow for easy file-based template inheritance. File: templates/parent.tmpl <

Danny van Kooten 51 Nov 13, 2022
Goview is a lightweight, minimalist and idiomatic template library based on golang html/template for building Go web application.

goview Goview is a lightweight, minimalist and idiomatic template library based on golang html/template for building Go web application. Contents Inst

foolin 310 Nov 26, 2022
Templating system for HTML and other text documents - go implementation

FAQ What is Kasia.go? Kasia.go is a Go implementation of the Kasia templating system. Kasia is primarily designed for HTML, but you can use it for any

Michał Derkacz 74 Mar 15, 2022
Fast, powerful, yet easy to use template engine for Go. Optimized for speed, zero memory allocations in hot paths. Up to 20x faster than html/template

quicktemplate A fast, powerful, yet easy to use template engine for Go. Inspired by the Mako templates philosophy. Features Extremely fast. Templates

Aliaksandr Valialkin 2.6k Nov 29, 2022
A strongly typed HTML templating language that compiles to Go code, and has great developer tooling.

A language, command line tool and set of IDE extensions that makes it easier to write HTML user interfaces and websites using Go.

Adrian Hesketh 158 Dec 8, 2022
A template to build dynamic web apps quickly using Go, html/template and javascript

gomodest-template A modest template to build dynamic web apps in Go, HTML and sprinkles and spots of javascript. Why ? Build dynamic websites using th

Adnaan Badr 87 Nov 23, 2022
mold your templated to HTML/ TEXT/ PDF easily.

mold mold your templated to HTML/ TEXT/ PDF easily. install go get github.com/mayur-tolexo/mold Example 1 //Todo model type Todo struct { Title stri

Mayur Das 0 Jun 7, 2019
Golang Echo and html template.

golang-website-example Golang Echo and html template. move GitHub repository for hello to golang-website-example Visual Studio Code Run and Debug: lau

Ocki Bagus Pratama 0 Feb 4, 2022
bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

bluemonday bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable. bluemonday takes untrusted user generated content as

Microcosm 2.5k Dec 1, 2022
Simple system for writing HTML/XML as Go code. Better-performing replacement for html/template and text/template

Simple system for writing HTML as Go code. Use normal Go conditionals, loops and functions. Benefit from typing and code analysis. Better performance than templating. Tiny and dependency-free.

Nelo Mitranim 4 Apr 13, 2022
VMail - check the markup (HTML, CSS) of HTML email template compatibility with email clients

VMail - check the markup (HTML, CSS) of HTML email template compatibility with email clients Email clients use different rendering standards. This is

Alexey Vasiliev 21 Sep 6, 2022
This command line converts .html file into .html with images embed.

embed-html This command line converts .html file into .html with images embed. Install > go get github.com/gonejack/embed-html Usage > embed-html *.ht

会有猫的 1 Oct 6, 2022
Safe HTML for Go

Safe HTML for Go safehtml provides immutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by constr

Google 291 Nov 15, 2022
Supports the safe and convenient execution of asynchronous computations with goroutines and provides facilities for the safe retrieval of the computation results.

Rendezvous The Rendezvous library supports the safe and convenient execution of asynchronous computations with goroutines and provides facilities for

Paulo Villela 0 Dec 29, 2021
Utility to compare files/directories with output in html. (like unix diff command)

#godiff A File/Directory diff-like comparison tool with HTML output. This program can be use to compare files and directories for differences. When co

null 42 Nov 4, 2022
Inline styling for html mail in golang

go-premailer Inline styling for HTML mail in golang Document install go get github.com/vanng822/go-premailer/premailer Example import ( "fmt" "gith

Nguyen Van Nhu 96 Nov 30, 2022
Golang package that generates clean, responsive HTML e-mails for sending transactional mail

Hermes Hermes is the Go port of the great mailgen engine for Node.js. Check their work, it's awesome! It's a package that generates clean, responsive

Mathieu Cornic 2.6k Nov 27, 2022
Using Mailchain, blockchain users can now send and receive rich-media HTML messages with attachments via a blockchain address.

Mailchain Introduction Mailchain enables blockchain-based email-like messaging with plain or rich text and attachment capabilities. Using blockchain p

Mailchain 132 Nov 9, 2022