We mention that text/template won't save you from XSS, but the documentation explicitly states that it is unsafe for handling user input. We should clarify that the threat model for text/template does not handle user input, and that html/template is only safe iff passed user data as parameters (e.g. we need to avoid Template Injection)
We mention that
text/templatewon't save you from XSS, but the documentation explicitly states that it is unsafe for handling user input. We should clarify that the threat model fortext/templatedoes not handle user input, and thathtml/templateis only safe iff passed user data as parameters (e.g. we need to avoid Template Injection)