We mention that text/template won't save you from XSS, but the documentation explicitly states that it is unsafe for handling user input. We should clarify that the threat model for text/template does not handle user input, and that html/template is only safe iff passed user data as parameters (e.g. we need to avoid Template Injection)
We mention that
text/template
won't save you from XSS, but the documentation explicitly states that it is unsafe for handling user input. We should clarify that the threat model fortext/template
does not handle user input, and thathtml/template
is only safe iff passed user data as parameters (e.g. we need to avoid Template Injection)