doufeng3602 2013-12-16 12:19
浏览 321
已采纳

为什么html / template不显示所有html条件注释?

I have a simple Go HTML template which contains HTML conditional comments:

package main

import (
    "html/template"
    "os"
)

var body = `<!doctype html>
<html>
  <head>
    <!--[if !IE]><!--><script src="http://code.jquery.com/jquery-2.0.3.min.js"></script><!--<![endif]-->
    <!--[if gte IE 9]><script src="http://code.jquery.com/jquery-2.0.3.min.js"></script><![endif]-->
    <!--[if lt IE 9]><script src="http://code.jquery.com/jquery-1.10.2.min.js"></script><![endif]-->

  </head>
</html>`

func main() {
    tmp := template.Must(template.New("tmp").Parse(body))
    tmp.Execute(os.Stdout, nil)

}

This produces:

<!doctype html>
<html>
  <head>
    <script src="http://code.jquery.com/jquery-2.0.3.min.js"></script>



  </head>
</html>

Why does html/template remove those conditional comments after compiling?

  • 写回答

5条回答 默认 最新

  • doutao1171 2013-12-17 10:24
    关注

    Since your question was Why, I will try to explain why comments are stripped away.

    First of all, the purpose of the html/template package is to be safe. The documentation states:

    Package template (html/template) implements data-driven templates for generating HTML output safe against code injection.

    This is done through context-sensitive escaping. In a Golang-nuts thread Kyle Lemons provide an example where conditional comments would currently break this safety unless the comments were stripped away:

    <p>
<!--[if lt IE 9]><script><![endif]-->
{{.Stuff}}
<!--[if lt IE 9]></script><![endif]-->
</p>

    In this case, any value in {{.Stuff}} will be executed as Javascript on some browsers and should therefore be escaped to be safe . This would require the template engine to be aware of this browser-specific interpretation of the comment, and any other non-standard behavior in all the browsers out there. This is not feasible.

    Instead, html/template was designed to strip away any comments to ensure that the HTML it produces is safe from any injection attack.

    Workaround

    As mentioned by Dave, it is possible to use template.HTML to insert such comments. However, because of the security risk, the documentation for template.HTML states (my emphasis):

    HTML encapsulates a known safe HTML document fragment. It should not be used for HTML from a third-party, or HTML with unclosed tags or comments.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题