doufeng3602
2013-12-16 12:19
浏览 303
已采纳

为什么html / template不显示所有html条件注释?

I have a simple Go HTML template which contains HTML conditional comments:

package main

import (
    "html/template"
    "os"
)

var body = `<!doctype html>
<html>
  <head>
    <!--[if !IE]><!--><script src="http://code.jquery.com/jquery-2.0.3.min.js"></script><!--<![endif]-->
    <!--[if gte IE 9]><script src="http://code.jquery.com/jquery-2.0.3.min.js"></script><![endif]-->
    <!--[if lt IE 9]><script src="http://code.jquery.com/jquery-1.10.2.min.js"></script><![endif]-->

  </head>
</html>`

func main() {
    tmp := template.Must(template.New("tmp").Parse(body))
    tmp.Execute(os.Stdout, nil)

}

This produces:

<!doctype html>
<html>
  <head>
    <script src="http://code.jquery.com/jquery-2.0.3.min.js"></script>



  </head>
</html>

Why does html/template remove those conditional comments after compiling?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

5条回答 默认 最新

  • doutao1171 2013-12-17 10:24
    已采纳

    Since your question was Why, I will try to explain why comments are stripped away.

    First of all, the purpose of the html/template package is to be safe. The documentation states:

    Package template (html/template) implements data-driven templates for generating HTML output safe against code injection.

    This is done through context-sensitive escaping. In a Golang-nuts thread Kyle Lemons provide an example where conditional comments would currently break this safety unless the comments were stripped away:

    <p>
    <!--[if lt IE 9]><script><![endif]-->
    {{.Stuff}}
    <!--[if lt IE 9]></script><![endif]-->
    </p>
    

    In this case, any value in {{.Stuff}} will be executed as Javascript on some browsers and should therefore be escaped to be safe . This would require the template engine to be aware of this browser-specific interpretation of the comment, and any other non-standard behavior in all the browsers out there. This is not feasible.

    Instead, html/template was designed to strip away any comments to ensure that the HTML it produces is safe from any injection attack.

    Workaround

    As mentioned by Dave, it is possible to use template.HTML to insert such comments. However, because of the security risk, the documentation for template.HTML states (my emphasis):

    HTML encapsulates a known safe HTML document fragment. It should not be used for HTML from a third-party, or HTML with unclosed tags or comments.

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • doufanglian7585 2013-12-16 12:29

    Conditional commenting was only supported by Internet Explorer and isn't part of any standard that I can find.

    From Wikipedia:

    Conditional comments are conditional statements interpreted by Microsoft Internet Explorer in HTML source code. Conditional comments can be used to provide and hide code to and from Internet Explorer.

    Conditional comments in HTML[1] first appeared in Microsoft's Internet Explorer 5 browser, although support has now been deprecated. In Internet Explorer 10 HTML conditional comments are not supported when the page is in standards mode (document mode 10)

    评论
    解决 无用
    打赏 举报
  • dsgdg54ef4365 2013-12-16 13:00

    It looks that the problem was discussed on golang-nuts group:
    https://groups.google.com/forum/#!msg/golang-nuts/8y6by6SERyU/XQRnbw3aBhwJ

    TL;DR
    Go html/template strips of all html commments, and didn't interpret conditional comments since they are not a part of the standard.

    Also the {{noescape}} directive has been removed: http://code.google.com/p/go/issues/detail?id=3528

    评论
    解决 无用
    打赏 举报
  • douma5954 2014-04-05 19:59

    My workaround is to reimplement the noescape helper that was removed on commit #938597eab997

    funcMap := template.FuncMap{
        "noescape": func(s string) template.HTML {
            return template.HTML(s) 
        },
    }
    

    and then use it in your template:

    <!DOCTYPE html>
    {{noescape "<!--[if lt IE 9]>"}}<html class="old-ie">{{noescape "<![endif]-->"}}
    
    评论
    解决 无用
    打赏 举报
  • douduo2407 2015-07-07 07:14

    adding a couple of examples of adding HTML comments to the html/template output:

    1) adding comment using the HTML type: http://play.golang.org/p/mYj4rxVfHW

    2) using an added noescape function (which returns HTML): http://play.golang.org/p/y61Hysfs3Y

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题