empijei
commented
5 years ago @markbates wdyt?
Closed empijei closed 3 months ago
empijei
commented
5 years ago @markbates wdyt?
markbates
commented
5 years ago PRs docs are always welcome.
github-actions[bot]
commented
2 years ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment. Otherwise, this will be closed in 7 days.
sio4
commented
2 years ago The behavior should be revisited in near future, also the fine grain desciption should be on the document.
Escaping is not contextual and HTML escaping is used in every context. This might lead newcomers to think that it is safe to interpolate user controlled data in a page, leading to XSS.
I think it would be better to point out in README or documentation that this package does not aim to protect users from XSS but just implements a rudimentary escaping mechanism.
Since some gophers might be used to html/template (which performs contextual autoescaping) this seems worth pointing out.
(I found a previous similar issue in #79 that might be a signal that this is an issue some other people might have encountered)