By default, the template engine does not use HTML encoding for all variable outputs, which means that if not handled properly by developers, there might be XSS vulnerabilities.
No worries, the GoFrame framework has taken this into full consideration and provides developers with flexible configuration parameters to control whether to encode HTML content of variable outputs by default. This feature can be enabled/disabled via the AutoEncode configuration item or the SetAutoEncode method.
tip
It is important to note that this feature does not affect the built-in function of include templates.
Usage example:
- Configuration file
[viewer]
delimiters = ["${", "}"]
autoencode = true
- Sample code
package main
import (
"context"
"fmt"
"github.com/gogf/gf/v2/frame/g"
)
func main() {
result, _ := g.View().ParseContent(context.TODO(), "Name: ${.name}", g.Map{
"name": "<script>alert('john');</script>",
})
fmt.Println(result)
}
- Execution output
Name: <script>alert('john');</script>